Document made available under the 
Patent Cooperation Treaty (PCT) 



International application number: PCT/GB05/000231 
International filing date: 24 January 2005 (24.01.2005) 



Document type: Certified copy of priority document 

Document details: Country/Office: GB 

Number: 0407913.3 

Filing date: 07 April 2004 (07.04.2004) 



Date of receipt at the International Bureau: 02 March 2005 (02.03.2005) 

Remark: Priority document submitted or transmitted to the International Bureau in 

compliance with Rule 17.1(a) or (b) 




World Intellectual Property Organization (WIPO) - Geneva, Switzerland 
Organisation Mondiale de la Propriete Intellectuelle (OMPI) - Geneve, Suisse 




n 



% 



-r» The 

raient 
Office I 



o 

INVESTOR IN PEOPLE 



The Patent Office 
Concept House 
Cardiff Road 
Newport 
South Wales 
NP10 8QQ 



I, the undersigned, being an officer duly authorised in accordance with Section 74(1) and (4) 
of the Deregulation & Contracting Out Act 1994, to sign and issue certificates on behalf of the 
Comptroller-General, hereby certify that annexed hereto is a true copy of the documents as 
originally filed in connection with the patent application identified therein. 



In accordance with the Patents (Companies Re-registration) Rules 1982, if a company named 
in this certificate and any accompanying documents has re-registered under the Companies Act 
1980 with the same name as that with which it was registered immediately before re- 
registration save for the substitution as, or inclusion as, the last part of the name of the words 
"public limited company" or their equivalents in Welsh, references to the name of the company 
in this certificate and any accompanying documents shall be treated as references to the name 
with which it is so re-registered. 



In accordance with the rules, the words "public limited company" may be replaced by p.l.c, 
pic, P.L.C. or PLC. 

Re-registration under the Companies Act does not constitute a new legal entity but merely 
subjects the company to certain additional company law rules. 



Signed 




Dated 4 February 2005 




An Executive Agency of the Department of Trade and Industry 



BV-flPR-2004 172 08 FROM ' MARKS & CLERK 



TO PAT OFF GB 



P. 23 




Patents Form 1/77 

Patents Act 1977 



Request for gram 

(See the notes cm tna back of this form. You can aiso get 
an expiratory leaflet from the Patent Office to help you fill 
in 1his -form) 



1. Your reference 



GBP290155X 



The 

Patent 
Office 



2- Patent application number 
(The Patent Office will fill in this part) 

3, Full name, address and postcode of the or of 

each applicant (underline all surnames) 



0407913.3 



Crypmmathic A/S 5 
Kaimibegade 14, 3 
Aarhus C DK-8000 
D&nraark 



07APR04 E8873Q6-5 010176 

m/mo 0,00-0407913,3 ACCOUNT CHft 



The Patent Office 

Card Iff Road , 
Newport 

Gwcnt NP9IRH 



Patents ADP number (if you know it) C> 



If the applicant is a corporate body, give the 
country/state of its incorporation 



Denmark 



4. Title of the invention 



Electronic Voting Systems 



5. Name of your agent (if you have_one}_. 

"Address for service" in the United Kingdom 
to which all correspondence should be sent 
(including the postcode} 

Patents ADP number tff you know it> 



-Marks &-Clerfc 
~ 66-6$ Hills Road 
Cambridge 
CB2 1LA . 



<97^7f(25oo3 



6. Priority: Complete this section if you are 
declaring priority from one or more earlier 
patent applications, filed in the last 12 
months 



Country 



United Kiiigdgm 



Priority application No 

' (if you fcnow it> 
0406722.9 



Date of fifirtfl 
(day /month/ year) 

25 March 2004 



7, Divisionals, etc: Comptete this section 
only If this application is a divisional, 
application or resulted from an 
entitlement dispute 



Number of earlfer application 



Elate erf filing 
(day / rnontfi / year) 



S. Is a Patents Form 7/77 {Statement of inventorship and of right to grant of b patent) 

required in support of this request? 

(An&vver 'Yas J if: , ^ , 

a) any applicant namsd in part 3 is not an inventor, or 

b) there is an inventor who is not named as an applicant* or . 
e) any named applicant is a corpora body. 

See note (d)) 



Yes 





J37-APR-2004 17S0Q FROM MARKS & CLERK ' JD PRT OFF GB * p o30 

Patents Form 1/77 

9. Accompanying documents: A patent application must include 
a description of the invention. Not counting duplicates please 
enter the number of pages of each item accompanying this form: 

Continuation "sheets of this form o 

Description S2 

CFaim(s) g 

. . Abstract i 

Drawing^) 9 

10, If you are also filing any of the following, 
state how many against each rtem. 

Priority documents 
Translations of priority documents 

Statement of inventorship and right 
to grant of a patent (Patents Form 7/7?) 

Request for preliminary examination 
and search {Patents Form 9/77) 

Request for substantive examination 

(Patents Form 10/77) 

Any other documents 
{pfease specify) 

1 1 

l/We request the grant of a patent on the basis of this application. 

Signature^) Jfj/gf; Dater 7Aprfl2004 

1 2.Name and daytime telephone number of Cambria™* rwfi™. 

person to contact In the United Kingdom ' SS 345520 




07-APR-2004 17:05 FROM MARKS & CLERK 



TO PAT OFF GB 



P. 31 




1 



M&C Folio: GBP2901 55X 



Electronic Voting Systems 

This invention is generally concerned with systems and methods for electronic voting. 

An election poses many challenges for the system, used for voting, whether this is a 
manual system, a mechanical one or an electronic One. Traditionally manual systems 

» 

have been used and are still widely used. For some decades mechanical systems have 
been used in some countries, and in recent years electronic voting systems have had 
their breakthrough in & number of countries. Common to all is that very high standards 
have to be set on the security of the process of voting, such that voters can be confident 
that the result of the election correctly reflects the votes cast, whereas at the same time 
secrecy of the votes cast shall be ensured. In fact a long list of apparently conflicting- 
requirements can be stated. 

Common for the systems used for general elections in a larger scale today is that they 
duplicate the basic principles of the manual election, which we will briefly review. A 
voter enters a voting site, where his identity is checked, after which he receives a ballot 
and enters a voting booth where he can vote in privacy. He then folds his ballot such 
that nobody can see what he has voted, enters the public sphere, again and drops his 
ballot into a container, The whole process is monitored by a sufficiently large and 
diverse group of people such that it can be trusted not to cheat, A number of special 
cases may exist in the process. For example the first voter may have the opportunity to 
veriiy that the container is initially empty and it may be possible to regret the choice in 
the time span between entering the choice on the ballot and dropping it into the 
container. After the election the votes are counted. Throughout the whole process it is 
ensured that at every step everything is monitored by a group of people sufficiently 
large and diverge to, be trusted. 

V:\Cambridge CasesNf JM?\GBP2901 55X\GSP290 1 55X Spec & Clairtis 7-4-04.doc " 



03 00309' 07-Apr-Q4 , 05 :22 



• 07-AFR-2004 17: 03 FROM MRRKS & CLERK 



-TO PAT OFF GB 



P. 32 



Mechanical and electronic voting systems fellow the same principles, la fact it seems 
that the core element in the design of such systems is that the process shall be changed 
as little as possible when introducing a new system. For example EBB (Direct 
Recording Engine) e-voting systems, store individual votes on a memory card such that 
they can be counted afterwards instead of just keeping track on the statistics to be 
reported. 

However, when using electronic devices a cumber of properties of me original process 
are altered in disfavour of the B ecuriiy despite that the process is kept fixed. In particular 
the follpwmg properties are always lacking unless great care is taken: 

a) The voter is no longer able to see that what he enters on the machine U actually 
what is recorded. 

M The officials monitoring the process ore no longer able to see that one vote is 

recorded for each voter. 

c) The monitoring-of the Counting process is no longer ^oienrdnMffobody cin- 
see what really happens during counting. 



This has been known for many years in academic circles and has led to 
initiatives: 



a number of 



. 1) Some have tried to inform the public and decision makers about the situation 
and have been driving a debate that has recently been rather heated as DRE 
machines have become more widespread. 
2) Some have developed the technology for dealing with the new challenges posed 
by electronic voting system. This has been done as basic research in universities 
worldwide and in applied research projects like the e-Yeie (1ST 200Q-2951S, 
. hflg^ww-instore. er/^yotg) and Cybervote (1ST- 1999-20338, 

htlp^www.eucybervote.org) projects as well as in private high tech companies 
like Cryptornatbic. 

♦ 

For background prior art reference can be made to the following: 

V:\Ctaibrfcfee O»*VJMGBP290l 5SXVOaraS»IS5X Spec & Claim* 7-4-04^ 



05; 22 



3 



07-PPR-2004 17 = 09 FROM MARKS & CLERK 



TO PAT OFF GB 



P. 33 



3 

[DOS] Ivan Damg&rd, Jens Groth^ Gorm Salomonsen "The Theory and Implementation 
of an Electronic Voting System", la Gritzalis* D. (Ed.) Secure Electronic Votings 
Kluwer Academic Publishers, Boston, USA, November 2002 (ISBN I-4020-730M) 

mm 

[DJ01] Ivan DamgSrd and Mads Jurik. "A generalisation, a simplification and some 
applications of Pailliers public-key system with applications to electroaic voting", In 
Public Key Cryptography '01, pages 1 19-136. Springer-Verlag ? LNCS 1992, 200L 

[NEF01] C. Andrew Neff. "A verifiable secret shuffle and its applications to e-votrng 5 ** 
In proceedings of the S'th ACM conference on Computer and Communications 
Security, pages 1 16-125. ACM Press, 2001. 

[NEF03] C. Andrew NefF "Election Confidence' 7 . Version 6 5 December 2003, Preprint 
available on wvtny.votehere.net . 

JBGR] Mihir Bellare, Juan A. Garav and Tal Rabin : "Fast Batch Verification for 
Modular Exponentiation and Digital Signatures*, EUROCRYPT 1998. LNCS series 
1403, Springer Verlag, pages 236-250. 

[DF] Ivan Damggrd and Efichim FyjjsMa: "A Statistically-Hiding Integer Commitment 
Scheme Based on Groups with. Hidden Order", ASIACRYPT 2002. "LNCS series 2501, 
Springer Verlag, pages 125-142 

[F] Jun Furukawa: "Efficient, Verifiable Shuffle Decryption and Its Requirement of 
Unlinkability", Public Kev Cryptography 2004 . LNCS series, Springer Verlag, pages 
319-332. 

[FMMOS J Jun Furukawa, Hiroshi Mivauchi. Kenao Mori. Satdshi Obana. and Kague 
Sajgoj: "An Implementation of a Universally Verifiable Electronic Voting Scheme based 
on Shuffling",. Financial Cryptography ?on?. LNCS series 2357, Springer Verlag, pages 
16-30. . 

- V:\Cambridge Cas k\PJM\GBF290 } 55X\G&P29Q 1 £5X Spec A Claims 7-4-Q4.doc 



B7-RPR-2004 1?:09/ FROM MARKS & CLERK 



TO PAT OFF GB 



P. 34 




[PS] Furufcawa and Sako: "An efficient scheme for proving a shuffle", CRYPTO 2001, 
LNCS series 2 139, Springer Verlag, pages 36S-3 87. 

[G] Jens Groth: "A Verifiable Secret Shuffle of Homomorphic Encryptions", Public 
Ke_y Cryptography 2Q0\ LNCS series 2567, Springer Verlag, pages 145-160 

[GMY] Juan A. Garay, Philip D. M BR K*n™ and KeYang: "Strengthening Zero- 
Knowledge Protocols Using Signatures". EURQCRYPT 20m . LN C S series 2656, 
Springer Verlag, pages 177-194. 



[Npatent] Andrew Neif, VoteHere: 'Verifiable secret shuffles of encrypted data, such 
BIGamal encrypted data for secure multi-authority elections", patent application 2002, 



as 



Further background information useful for Understanding the invention can be found in 
"Verifiable e-Votm S ?'-by CvA^Neff and J. Adler,- August 6,-2003. 

Pursuers of 1) require printed ballots to be produced for voters to watch and store the 
traditional way such that they can be used for recounting. The pilot system developed 
and tested in the e- Vote project uses digitally signed, encrypted votes, such that it is 
ensured that there is control of, who cast each individual vote. It also utilizes a secure 
protocol based on homoiuorphic encryption and zero-knowledge proofs (see [DGS], 
[DJ01]) to ensure that the counting process is universally verifiable while preserving 
secrecy. Universally verifiable means that it is possible for an independent observer to 
verify that the votes are authentic, correctly formatted and have been counted correctly 
without breaking the secrecy of the election. However, it does not deal directly with the 
issue mentioned in a), that each voter shall be able to verify that bis choice is actually 
what is recorded in his vote. Votes with the e- Vote system are generated and signed in 
an applet on the PC of the voter, so a) can be ensured by intercepting the applet and 
verifying that it performs correctly (by means of installing third-party software). 
However, this only works for Internet voting and it comes together with the expense , 
that receipt-freeness is only conditionally possible with Internet Voting. 

V:\CattbridseCases\PJM\GBP290155X\OBP2901S5X Spec & Claim, 7-4-04.^ ' 



07 ~flPR-2004 1?:09 FROM MARKS & CLERK 



TO PAT OFF GB 



P. 35 



5 

One purpose of embodiments of the present system is to "bring together the two 
approaches in a novel way by showing how an e-votitig system can be designed with 
existing technology such that 

I. The properties of embodiments of the system are such that none of the i$sues a), b) 

or c) constitutes a significant security treat, 
IL Several counting and recounting procedures are possibte : with different properties 
with respect to security and cost and where the highest obtainable level of 
integrity of the result of the election is considerably higher than for traditional 
manual elections. 

Thus in a relaxed political climate costs can be saved and final results of the election 
can be made available quickly, whereas in a tense political climate, where current 
manual procedures are insufficient to ensure integrity of elections, the level of security 
can be increased. 

Previous electronic voting systems as described above by Naffer al provided voters 
with receipts which they can take away and after polls close u$e to confirm, for example 
by telephone or the internet, that their ballot was as intended. However such a system 
can lack transparency and it is preferable, at least from the point of view of public 

■ 

perception, not to depart so far from a conventional paper-based or manual voting 
system. Nonetheless manual systems are by no means perfect despite thsir relative 

transparency and, 3s described further below, there is scope for corruption which is 

unlikely to be detected without fairly extensive recounts. 

There is therefore a need for electronic voting systems which provide security and 
integrity but which nonetheless will engender public trust In embodiments of the 
invention described below this is achieved by retaining a printed ballot system which 

works in conjunction with an electronic system to guarantee a high level of integrity and 

security. 

i 

. v:\cajnbriage eases\PJM\CjBP290L55X\GBP2P01 55X Spec & Cfalms 7-4-04<toc 



07-RPR-2004 17:09 FROM MARKS & CLERK TD PflT OFF GB P. 35 



an 



According to a first aspect of the present invention there is therefore provided 
electronic voting system, the system comprising; a voting device configured to generate, 
m response to a voter selection for each of a plurality of voters an encrypted electronic 
ballot and a printed ballot, both having voter selection data indicating a said voter's 
choice, said electronic ballot including information to link itto said printed ballot and 
said printed ballot including information to link it t 0 - sa id electronic ballot; an electronic, 
vote decryption system configured to receive electronic ballots from said voting device 
and to decrypt said encrypted electronic ballots including said linking information; and 
a voting verification system configured to receive decrypted Voter selection data and 
linking information from said vote decryption system, to receive voter selection data 
and linking information from said printed ballots and to compare voters choices for a 
sample of said printed and electronic ballots linked by said linking information, to 
verify the voting. 

Either the electronic ballots or the printed (paper) ballots may be sampled but it is 
preferable to provide a system which allows printed ballots to be sampled tod then 
linked to decrypted electronic ballots to save time in laboriously searching through large 
numbers of printed ballots. This can be facilitated by means of special ballot box which 
is configured to Sample the paper ballots and, optionally but preferably, scan the printed 
ballots although in such a way that the sample ballots cannot be influenced. 

■ 

To facilitate sampling, and then checking, printed ballots rather than electronic 
encrypted ballots preferably the voter verification system is configured to determine that 
all the printed ballots carry different linking information, that each printed ballot links 
to an electronic ballot, and that the number of printed ballots is the same as the number 
of electronic ballots, for example automatically counting theprinted ballots. Making 
these checks enables the sampling of printed ballots. 

A printed ballot may comprise, for example, human readable information indicating the 
choiceCs) of the voter and infection linking the printed ballot to an electronic ballot 
The linking infoimation shall preferably not identify the voter (in order not to break 
secrecy of an election, provided that the election is secret) and it shall preferably be in a 

Spec & Claims 7-4-04.do<s ... 



07-APR-2004 17 5 10 FROM MARKS & CLERK 



TO PRT OFF GB 



P. 37 



7 

diflScult-tq-read (at least for a human) format such as a bar code and shall preferably not 
be influenced by the voter (in order to prevent coer don ? again provided that the election 
is secret). An example of such information i$ $xi identifier of the district followed by a 
large random number selected by the device used for voting at .the time of voting, 
printed in a bar-code format on the printed ballot. The linking information may be 
cryptographically protected^ for example by including a MAC (Message Authentication 
Code) or a digital signature in the linking information. If the linking information is 
cryptographically protected, the cryptographic protection may also protect the choices 
of the voters (in order to prevent copying of linking information on printed ballots to 
other ballots with different choices of voters). 

An electronic ballot itiay comprise, for example voter identification such as the voter's 
name and encrypted information^ preferably electronically signed, this encrypted 
information indicating the voter's choice. The encrypted information may also include 
information Unking the electronic ballot to a printed ballot and/or this linking 
information maybe provided separately from the encrypted information indicating a 
voter's choice, but if so must be treated similarly to the encrypted information 
indicating the voters choices- As described further later, during the counting process the 
electronic ballots are preferably separated from voter identification information so that 
they are depersonalised (though this is not essential, the voting then becoming akin to a 
show of hands). This de-personalisation may be made secure by means of one or more 
electronic shuffles of the electronic ballots, which may be performed in such a way that 
it can be proved that no votes have been changed, in preferred embodiments using a so- 
called zero-knowledge proof In some embodiments each shuffle may also partially 
decrypt the encrypted electronic ballots; new zero-knowledge proofs or such a process 
are described later. With such a system it is also possible to separate the shuffling and 
gradual decryption process from the verification process, which facilitate* more rapid 
data processing. > 

In another aspect of the invention provides a computer system for verifying an 
electronic voting system, the computer system comprising: data memory operable to 
store data to be processed; program memory storing processor implementable 

V:\cambridge Casc5\PJM\QBP290I55X\GBP290155X Spaa & Claims 7-4-04-rfoe 



P-RPR-2004 17:10 FROM MARKS & CLERK TD PRT OFF GB 



instructions; and a processor coupled to said data memory and to said program memory 
to load and implement said instructions, the instructions comprising instructions for 
controlling flm processor to: receive decrypted voter selection data and linking 
information &om said vote decryption system; receive voter selection data and linking 
information from said printed ballots; and compare voters choices for a sample of said 
printed and electronic ballots linked by said linking information to verify me voting. 

The invention also provides a device for collecting ballots, the device comprising: a 
ballot input to accept a ballot submitted by a user; a first ballot holder for holding 
ballots for checking; a second ballot holder; and a user interface to allow said user to 
signal to the device an intention to submit said ballot; and a selector responsive to said 
signal to select substantially at random one of said first and second ballot holders to 
receive said submitted ballot. 

The skilled person will recognise mat selection as random does not necessarily imply 
equal, numbere of ballots in. theJirst and second-ballot holders.- - The device may -fbtfher 
include a ballot reader to read linking information on the ballot or local storage and/or 
forwarding over a network, 

In another aspect of the invention provides a printed ballot for an electronic voting 
system configured to count electronic ballots Corresponding to printed, ballots, said 
printed ballot bearing information linking the ballot to a said electronic ballot and 
information to allow a voter to identify one or more choices, the printed ballot being 
configured or configurable such mat said linking information and said choice 
identification information are both visible, but not simultaneously. 

The invention further provides a method of operating an electronic voting system, the 
method comprising: collecting a vote from a voter; outputting vote „ both an encrypted 
electronic ballot and a printed ballot, each of said printed and encrypted electric 
ballots bearing information linking it to the other; displaying the printed ballot to the 
voter; collecting the printed ballot; repeafeg said collecting, outputting, displaying and 
collecting for a plurality of other voters; decrypting and counting said electronic ballots;" 

VACtobndgeC aws \PJ M \GBP290255X\GBP290I55X Spec & Claims 7-4.04.d oc ■ 



07-1 



flPR-2004 17:10 FROM MRRKS & CLERK 



TO PRT OFF GB 



P. 39 



9 

selecting a sample of said printed ox electronic ballots and reading voter choices for said 
sample; reading voter choices for electronic or printed ballots linked to said selected 
ballots by said linking information; and comparing said voter choices read from said 
sample and said linked ballots to verify a result of said voting. 

The invention further provides a method of committing to an electronic data value, the 
method comprising selecting a substantially random number and a sub group of the 
multiplication group Z* n of integers computed modulo n where n is a product of two 
primes for the electronic data value and/or said substantially random number and 
determining a commitment value from said electronic data value and said substantially 
random number using said subgroup. 

The invention, further provides a method of providing a zero-knowledge proof for 
verifying correctness of a combined permutation and partial decryption of 

r 

homomorphically encrypted messages, performed using one or more data processing 
entities., the method comprising: sending a commitment to a first set of values (n)- 
defining said permutation to a verifier; receiving a second set of values (t) ftom said 
verifier; permuting said second set of values with said permutation; sending a ' 
commitment to said permuted second set of values to said verifier; receiving a first pair 
of values from said verifier; determining a third set of values (a) from said permutation, 
said second set of values and said first pair of values; determining and sending a 
commitment to a fourth set of random values (d); sending a set of commitments to said 
verifier committing to a fifth set of values (d a) a value of said set being determined 
from one of said third and one of said fourth set of values; and sending a commitment to 
said permuted and partially decrypted .messages and a commitment to a function of said 
permuted and partially decrypted messages to said verifier; receiving a second pair of 
values from said verifier; and sending values (£ z) determined from said second pair of 
values, said first pair of values and said permutation to said verifier; whereby said 
verifier is able to verify said performance using a zero-knowledge protocol. 

The invention further provides a method of shuffling and decrypting encrypted 
electronic data using a plurality of data processing entities, each entity having a share of 

V:\CamWdge Cases\PJfvTOBF290I 55X\GBP290155XSpee. & Claims 7-4 



■ - « 0 ■ ■ ■ ♦ • * * ' " " * I ■- J J J * C. - * J n - »■ ■■ J -■ ' " 



1 



07-RPR-2004 17-" 11 FROM MARKS & CLERK 



TO PRT OFF GB 



\ 



10 

a secret key, the method comprising, at eech of said entities, partially decrypting and re- 
randomising said electronic data using said secret key share such that a final said data 
processing utility fully decrypts said data. 

■ • 

The invention also provides a method, in a computer system, of providing data for 
verifying that messages of a set of messages provided from a QQir^oMing set of 
entities are authentic* the method comprising: selecting,* for each said entity, first second 
and third random numbers; determining, for each said entity, first and second 
verification values from* respectively, said first and second random numbers and said 
entity's message, and said first and third random numbers; and outputting, for each 
entity, said entity*s message and said first and second verification values, 

The invention further provides a method for providing data for verification systems for 
verifying that messages m i ? „ ? m k arc authentic using a homomorphic verification 
system without revealing their origin, the method comprising entities {Ej} producing the 
•messages each choosing random numbers e jfl rj and p } and submitting m j, V(e J% r,-) 
anonymously to one entity (entity A) and V(rj j e j 5 , p j) to another entity (entity B) 
where V is a verification function, in particular a homomorphic function, in such, a way 
that the messages are authenticated. , 

The invention also provides computer program code to implement the above described 
systems and methods. Such code may be provided on a data carrier such as disk, CD- 
or DVD-ROM, programmed memory such as read-only memory (firmware), or on a 
data carrier such as an optica! or electrical signal carrier. The code may comprise code 
in any conventional programming language, such as C. As the $killed person will 
appreciate such code may be distributed between a plurality of coupled components m 
communication with one another, for example on a network. 



P. 40 




We further describe a voting system feature comprising: at least one device used for 
voting entering preferably (the same or associated information) on a printed ballot and 
an encrypted electronic ballot linking the two to each other. Preferably each voter is 
allowed to watch the content of the paper ballot to verify that it contains his choices. 
V:\Cambridge Cases\PJMVQBP2901SSX\CBP290] 55X Spec & Claims 7-WW.doc 



» 



B7-APR-2004 FROM MARKS & CLERK 



TD PPT OFF GB 



P. 41 



11 

Preferably at least one instance makes available depersonalised clear-text electronic 
ballots with their information linking them to printed ballots to the public or to selected 
entities, Preferably a procedure selects a random sample of electronic ballots and 
verifies that their content corresponds to the content of corresponding paper ballots with 
the purpose of establishing confidence that the electronic ballots have not been 
subjected to large-scale tampering. 

We further describe a voting system feature comprising: at least one device used for 
voting entering preferably (the same or associated information) on a printed ballot and 
an encrypted electronic ballot linking the two to each other. Preferably each voter is 
allowed to watch the content of the paper ballot to verify that it contains his choices. 
Preferably at least one instance makes available depersonalised clear-text electronic 
ballots with their information linking them to printed ballots to the public or to selected 
entities. Preferably a procedure selects a random sample of electronic ballots and 
verifies that their content corresponds to the content of corresponding paper ballots with 
the purpose of establishing a deterrent against tampering with the voting device in 
individual election districts* 

We further describe a device for collecting ballots comprising: two or more containers 
for collecting filled ballots and a user interface allowing a voter to make aware of his 
intention to submit his ballot arranged in such a way that it is decided at random at the 
time of ballot submission whether ballots shall be checked. This works in the way that it 
is by mechanical means ensured that ballots selected for checking at random are entered 
in a particular subset of containers, 

We further describe a protocol for producing a zero-knowledge proof of a correctly ' 
performed combination of permuting and partial decryption of homomorphically 
encrypted messages, and the non-interactive versions of the protocol obtained by using 
the Fiat-Shamir heuristic. 

We further describe a homomorphic commitment system that performs efficiently by 
making use of subgroups of 2 n * for the message space and/or the randomization space. 

V:\Cambridis Cases\PJM\GBP290l55X\GBP290l55X Spec & Claims 7-4-Q4.doc 



07-APR-2004 17: 11 FROM MARKS & CLERK 



( 



TO POT OFF GB 



P. 42 



12 



We farther describe a protocol comprising: use of a homomorphic verification system 
for verifying the correctness of the result of repeatedly permuting and re-encrypting and 
finally decrypting homomorphically encrypted content. 

We further describe a protocol comprising: use of a homomorphic verification system 
for verifying the correctness of the write-in votes obtained by repeatedly permuting and 
re-encrypting and finally decrypting homomorphically encrypted votes. 

We further describe a protocol comprising: use of a homomorphic verification system 
for verifying the correctness of the information linking electronic and printed ballots 
obtained by repeatedly permuting and re-encrypting and finally decrypting 
homomorphically encrypted votes. 

Aspects of the invention provide data processing apparatus and computer program code 
(which may be distributed over a network), in particular on a carrier, to implement the 
above described system and protocols. 

Embodiments offer faster counting, cost savings and increased service to voters 
compared to manual elections, but with a higher level of security Aspects of the 
invention can be used in many embodiments: There are many technologies available for 
dealing with the above described issues. In particular all of the technologies 
"homomorphic encryption", "MIX nets" and "digital signatures" can be replaced by 
other technologies in embodiments described later and still provide working systems. 

These and other aspects of the present invention will now be further described by way 
of example only with reference to the accompanying figures in which: 



Figure 1 shows and example of a MIX net; 

Figure 2 shows a first embodiment of an electronic voting system according to an aspect 
of the present invention; - 

VrtCambridge Cases\PJM\(®R2$0l 55X\GBP2P0 1 SSX Spec & Claires 7-4-<Rdoc 



r, » i ' 



07-RPR-2004 175 12 FROM MARKS & CLERK 



TO PAT OFF GB 



P . 43 




13 



Figure 3 shows a second embodiment of an electronic voting system according to an 
aspect of the present invention; 

Figure 4 shows a first embodiment of a device for collecting ballots according to 
another aspect of the present invention; 

Figure 5 shows a second embodiment of a device for collecting ballots according to 
another aspect of the present invention; and 

Figure 6 shows a printed ballot suitable for use with the ballot collecting devices of 
Figures 4 and 5; 

Figure 7 illustrates the information that can be contained in a paper ballot and in the 
corresponding electronic vote; 

Figure 8 illustrates how encrypted content may be homomorphically counted on 
encrypted form to deliver an encrypted result in a homomorphic count; and 

« 

Figure 9 illustrates how a shuffle changes the encryption and the ordering of electronic 
votes and produces a zero-knowledge proof. 

When we discuss technologies suitable for protecting elections it will be technologies 
that base their trust on mathematics and suitably composed groups of people being . 
unable to cooperate to cheat rather than in elements like trust in. the quality of code or 
ability to keep out intruders completely. For example a digital signature cannot be 
forged by malicious software that has access to data that can be signed unless this 
software also has access to a particular private key. This is contrary to other sorts of 
protection* Eke a log on a local machine that can normally easily be forged by malicious 
software. Thus the protection we discuss is protection against adversaries with access to 
modifying any part of the software they like with very few exceptions (software for key- 
generation is an example), When we state that a device must be trusted to do or not to 

V:\Canibridge Case5\PJM\GSP290l55X\GBP290I5SX5pet?&aaims7^-04.doe ... - 



2004 17: 12 FROM MARKS & CLERK JO PAT OFF GB 

14 

do something, we mean that we rely on that the software and hardware of the device 
ensures that the device has the intended behaviour. 

The level of security for the devices used for casting votes, we are aiming at is; The 
devices will be trusted not to give away the choices of individual voters m any other 
ways than the ones specified. However, we will assume that relevant adversaries have 
access to modifying the software and hardware of the devices whenever we discuss the 
highest levels of security supported for protecting against tampering with the choices of 
the voters. 

This is consistent with the fact that the latter type of attack has the highest potential for 
producing benefits for adversaries, and with that also manual voting allows some 
attacks, like the use of hidden cameras or comparison of fingerprints on voter cards and 
ballots, for breaking the secrecy, 

Two technologies for counting secret encrypted and signed votes {the list is not 
exhaustive, the ones mentioned are the ones we are .particularly interested in making use 
of in out invention) are: 

Homomorphic encryption and zero-knowledge proofs combined with a secret 
sharing mechanism. The vote is encrypted and a zero-knowledge proof is 
attached proving that the encrypted vote is an encryption of a correct or true 
vote. Because the crypto system is homomorphic the votes with correct zero- 
knowledge proofs can be counted on encrypted form without ever decrypting a 
vote. Finally, the key for decrypting the result is secret shared between a 
sufficiently large and diverse group of people such that it can be trusted not to 
decrypt individual votes. 

MIX nets. A number of servers (shuffles) one after another re-encrypt s - 
encrypted votes without being able to decrypt them and passes them on in a 
different, random order together with a zero-knowledge proof that only the order 
but not the content of the encrypted votes has been modified. If several shuffles 
are used one after another and are operated by different organisations with 

:\Cambrid 5 e Cases\P/M\GBP29015SX\GBP290l55X Spec & Claims 7-4-04.doc 



07-PPR-2004 .175 12 FROM MARKS & CLERK TO PAT OFF GB 

15 

conflicting interests-, it is trusted that the association between the original 
ordering of the votes and the new ordering of difBsrently encrypted votes has 
been lost. Further, the zero-knowledge proofs ensure that the content of the 
votes has not been altered. Again a secret sharing mechanism can be used for 
decryption. 

Common to the two approaches is that they employ zero-knowledge proofs and 
particular protocols- Until recently protocols of this type were too slow to be applied in 
practice, but we have developed an efficient homomorphic encryption protocol and an 
efficient MIX net protocol Both can be implemented over the same homomorphic 
crypto system. 

We have recognised that the two technologies have different properties: Counting 
including verification can be parallelised arbitrarily for homomorphic encryption, so it 
scales well and can produce a fast result Further it is easy to trace back incorrectly 
formatted electronic votes to their origin with this technology (this should never happen 
Urtte$$ machines used for voting are malfunctioning or tampered with - instead there 
should be a correctly formatted invalid choice). The disadvantage is that a special zero- 
knowledge proof must be designed for each voting rule, <A voting rule can for example 
b©, that each voter can select one option, vote blank or provide an. invalid vote. Another 
voting rule can be, as used in practice in Greece, that each voter may vote for up to five 
persons from the same political party or provide an invalid vote. These two rules require 
different zero -know] edge proofs since different properties of the content of encrypted 
votes must be proven.) MIX nets are more flexible when it comes to implementing 
different voting protocols because the same zero-knowledge proofs can be used for all 
voting rules. 

In one of the proposed embodiments of our invention we will combine both 
technologies in order to get the best properties from both. 

The technologies discussed are sufficient to deal with the issues b) and c) mentioned in 
tho introduction^ so it remains to discuss the issue a). By having ballots printed voters 

V:\Cambridgc Casss\PJM\GBP2£?QI55X\GBP29G Spec & Claims 7-4-04.doc 



BV-RPR-2004 17:13 FROM MARKS 8, CLERK TO PRT OFF QB P. 46 




16 

are provided with the service that they can see what they have voted on paper, and they 
have the same level of certainty as at a manual election, that their vote will count, 
provided that a manual recount actually takes place. The idea, as already hinted, 
however has a number of shortcomings in its pure form: Almost no information is 
. gained by checking a few .votes in a district The only action that makes sense is to 
make total recounts in a selection of districts. However, if let 3 s say a manual recount 
takes place in 10% of the districts, this gives a 10% chance of being taken for somebody 
manipulating votes in a particular district for a particular election. This may well be a 
ch&nce worth taking for a politician facing a ruined carrier if he looses. The same can be 
said for a 30% or a 50% chance. 

Consequently quite comprehensive recounting is necessary in order to ensure that the 
mechanism works as intended - not only by revealing attempted fraud, but also by 
preventing attempts of fraud from happening by acting as a deterrent. Embodiments of 
an aspect of our invention have the following properties: Electronic votes contain 
encrypted information identifying the manual vote and preferably the election district. 
The electronic votes can be detached from the identity of the voter by means of a MIX 
net or a similar mechanism in a secure way: after being detached from the identities of 
the voters, they are decrypted. We can pick a random sample of all the electronic votes 
of an arbitrary size. 

We now comment on references to "depersonalisation" A practical system will 
normally be required to log information about significant action in particular temporal 
information linking specific events to the time they happened is usually logged. For 
example the Signer (see later, with reference to WO 03/015370) used in embodiments 
logs the hash value of the information signed together with the time of signature (in 
embodiments this means that double-voting using the same credentials is logged, which 
is important for providing accountability). Also the underlying infrastructure, in 
particular firewalls and Internet operators, may log parts of the network traffic, as may a 
man-in-the-middle. Combining the time an individual voter votes together with fhsVtimc 
particular electronic votes (or hash values of electronic votes) were handled by a 
compgnent of the system, breaks the secrecy and opens up the possibility of coercion. It 

VACamtprrdge Cases\PJM\GBP290l55X\GBP2901S5X Spec & Claims 7«4-04_<to 



07-RPR-2004 17:13 FROM MARKS CLERK 



TO PAT OFF GB P- 47 




17 

is therefore preferable to always consider an electronic vote to be linked to the identity 
of the voter until it is de-linked from the identity of the voter by a cryptograpfaically 
sound protocol. We prefer to make it explicit that identities of voters are linked to 
electronic votes by having the identities linked to the electronic votes in a 
oryptographioally protected way, which in the embodiments provided is done by having 
a voter signature on each electronic ballot. This feature is however not essentia! to 
aspects of the invention, Providing a cryptographically protected identity of individual 
voters together with the electronic votes means that accountability of, where individual 
encrypted electronic votes originate from is provided, such that identities of voters 
whose votes were counted is part of the information that is universally verifiable. 



Say that we want to ensure with 99% probability that at most 1% of the electronic votes 
are tampered with, i.e. contain different choices than the ones entered by the voters, 
Then we pick 459 random electronic votes. For each of those, if at least 1% of the 
electronic votes contain different choices than the corresponding manual votes, it has 
less than a 99% chance of passing the test of being compared to the coixespondmg 
manual vote. Consequently there is a probability of less than 0.99 45 * = 0.009921 that all 
of them pass the test. 

It is clear that letting electronic ballots identify non-existing printed ballots will be • 
discovered. However, letting more electronic ballots identify the same printed ballot is a 
possible attack unless care is taken. The procedure that must be earned out in the 
individual districts is therefore to run through all printed ballots in the district to 
establish that there is exactly one printed ballot with the same identification as the 
electronic ballot and that the choices on the printed ballot are the satne as on the 
electronic one. 



For the ultimate case, a general election in the US say, it means that by manipulating 
459 votes out of maybe 1 00.000.000 or even 200.000.000 and causing the rather simple 
procedure to happen in 459 randomly chosen election districts, you actually get quit© 
confident that no large scale fraud takes place with the electronic votes. And this is by 



V:\Cambridge Cases\PJ M\GBP2901 5$X^3&P2£0 1 55X Spec & Claims 7-4-04.doc 



07-HPR-2e04 17 si; 



'FROM MftRKS & CLERK 



TO PAT OFF GB 



P.4B 



18 

carrying out a procedure simpler than counting manually in less than 10 election 
districts in each stats in average. 

In an aspect of the invention we let each encrypted vote carry information linking it to 
an individual ballot. After detaching the votes from the identities of the voters, take a 
sample of random decrypted electronic votes and compare them to the corresponding 
manual votes (using the linking information) in order to create confidence in the 
accuracy of the result of the election with relatively little effort. 

Additional infomiation on an electronic ballot can be used for coercion by entities with 
access to decrypted, depersonalised electronic ballots. Therefore the information should 
be represented on the printed ballot in a form difficult to manage by voters (not easier to 
copy than taking a photo of the ballot or essential parts of the ballot) and the voter 
should preferably not be able to influence the information. One possibility is to use 
random data represented as bar codes on the printed ballots. 

♦ » 

The way statistics behave when doing different kinds of checking follows from - 
elementary mathematics- The low efficiency of the standard scheme of producing 
manual ballots without any other option than doing full recounts for election sites or 
election districts was also noticed in [NEF03] but in this document using printed ballots 
was seen as opposed to using testing based on providing voters with receipts, which 
they may have difficulties with handling and understanding and lacks transparency 
compared with a printed ballot. 



This scheme can also be carried out the other way around, in that paper ballots are 
picked and compared to anonymised electronic ballots. This has the advantage that less 
manual work is required. We propose the following scheme: the paper ballots are 
counted, the number is compared to the number of electronic ballots from the district. 
Then some paper ballots are picked at random and it is verified that they correspond to 
electronic ballots land have the same content, If the number of paper ballots and 
electronic ballots are not tto same, the paper ballots are counted. The property we are 
aiming at using is that if there is the same number of electronic and paper ballots, and a 
V:\Qwnbridge CasCs\pJM\GBP290I5SX\GBP2g0[S5XSp^4 Claims 7-4-04.doc 



e7-PiPR-2004 175 14 



FROM MARKS & CLERK 



TO FAT OFF BB 





number of paper ballots do not correspond to electronic ballots. Thus, if we know that 
the information linking paper ballots to electronic are different and the number of paper 
ballots correspond to the number of electronic ballots, it is just as efficient to pick 
random paper ballots. In embodiments this is ensured by scanning the linking 
information on each paper ballot and let the system verify that all of these properties are 
satisfied. We are of course aware that it may be a very time consuming and complex 
task to carry Out this comparison manually. If a single entity is not trusted to verify that 
these properties are satisfied alone, we suggest that a protocol is used between the entity 
responsible for handling results of scanning the paper votes and the entity responsible 
for storing depersonalised decrypted electronic votes that ensures that both do the 
verification. (Example; The entity responsible for handling results of scanning the paper 
votes submits the result of each the scanning, signed by a private key, awaits a yes/no 
answer about whether the information matches the information on an electronic ballot 
and processes the information. The entity storing the depersonalised decrypted 
electronic votes performs the verification and returns yes/no about whether the 
information matches the information on an electronic vote, also processes the 
information* and finally submits the signed result of the scanning for universal 
verification.). 



The procedure described above is efficient for revealing large-scale fraud. However, it 
still suffers from the deficit that it does not efficiently act as a deterrent against fraud in 
individual districts. Before we proceed with describing how to install such a deterrent, 
we will notice the difference between the requirement for having confidence in the 



The first needs to be established quickly such that the result of the election can take 
effect, For the latter to work, it is however enough that fraud is detected with a high 
probability inside a reasonable time window, for example a few months* That means 
that costs can be kept down when repeating the procedure in individual districts by 
having few MIX net servers (and corresponding high-security facilities and staff) doing 
the electronic parts, and by giving districts reasonable deadlines for answering results 
such that they can organise their work efficiently. It also has the advantage that the 

V:\Cambridge Cases\PJM\GBP290155X\OBP29ftl55X Spec <& Claims 7-4.-04.doc 



overall accuracy of 



a country-wide election and the requirement for having a deterrent 



07-APR-2004 17:14 ' FROM MARKS & CLERK 



TO PAT OFF GB 



P. 50 



20 

capability of decrypting votes does not have to be distributed on too 
persons. 



many facilities and 



We give an example of how an embodiment of another claim of our invention can act as 
an efficient deterrent. " 

Say we carry out the procedure described above with 194 randomly chosen votes in 
each district. Then in each district somebody manipulating 2% of the votes will face a 
98% chance that the fraud is detected. (Probabilities are estimated under me assumption 
that there are muehmofe than 194 votes. Lower number of votes in all cases give higher 
probability of detection.) If he manipulates 1 % of the votes he will face an 86"% chance 
that it is detected and if he manipulates 0.5% of the votes he will face a 62% chance that 
it is detected. If he manipulates 0.1% of the votes, he will face a 17% chance that it is 
detected, which is not much, but on the other hand hh chances of influencing the 
outcome of the election by changing 0.1% of the votes are probably also not good. If 
fraud is detected_in_&k_w a y, a manual recount ania.police.investigation can be 
initiated such that the result of the election can be corrected and such that apparently 
fraudulent candidates and their assistants can be tried in court. 

The number of votes checked and the procedure that takes place in case that fraud is 
detected can of course be tuned according to needs. 

In another aspect of me invention we use information in each encrypted vote linking it 
to an individual ballot. After detaching the votes from the identities of the voters take a 
sample of random decrypted electronic votes and compare them to the corresponding 
manual votes in order to install an effective deterrent against ftaud with flu election. 

We must expect that both the procedure for creating confidence in the result of the 
election and the deterrent will be used together. Further, this should be done in a manner 
as efficient as possible. We describe a procedure below: 



VACambridge CWTOVOHITOlSSXXBPagoiSSX Spec &. 



0 7-ppR-2004 175 14 FROM MARKS & CLERK TO PAT OFF GB 



21 

At each election site/district there is a PC with a scanner capable of reading the 
information on the paper ballots linking them to electronic ballots, but not 
necessarily capable of reading what is voted for. The PC is on-line, is running a 
special application and has access to the electronic anonymised votes. 
The paper ballots are scaimed and a program on the PC verifies that all the 
ballots carry different infonnationj that the information corresponds to 
information on an electronic vote and that the number of paper votes is the same 
as the number of electronic votes, 

A sample of (about 194) randomly chosen votes is collected. For each of those 
it is verified that the electronic vote corresponds to the paper vote. 

We now outline public key cryptosystems. 

A public key cryptosystem generally consists of three algorithms K 7 E, and D. 

• K is the key generation algorithm and jfroduces a public key ? - pk T and a secret 
key, sk, 

* E is the encryption algorithm, It takes as input the public key pk and a message 
m. It produces a ciphertext c = Epj^m). 

The algorithm maybe randomized; it generates some random bits and uses them 
in the encryption process, When emphasising these random bits, we write them 
as an explicit extra input to the encryption algorithm, i.e., c « E pk (m;r). 
* D is the decryption algorithm. It takes as input the secret, key sk zt\d a ciphertexi 
c. Using this it produces to = D P k(c). 

One particular group of public key cryptosystem? is BlGamal-style cryptosystems. - 

Consider the group 2**, i.e., the multiplicative group of integers modulo p, where p is a 
prime. Let q be a prime, such that q divides p-L Then there is a cyclic subgroup G q of 
Zp with order q. Let g be a generator for this group, i.e., <g> = G Q > 



V:\Cambridge Ci3es\PJM\Q9P2S>01.S5X\GBP290l55X Spec & Claims 



111111 



07-APR-2004 17:14 FROM MARKS & CLERK 



TO PAT OFF GB 



P. 52 



t 




22 

The key generation algori&m picks primes q, p and a generator g as described above. It 
selects at random an element x <== Zq and computes h - g* mod p. It outputs public key 
pk = (<I?Pf g»h) and secret key sk « x . 

To encrypt a message m « G q the encryption algorithm picks a random x e Z, and 
returns ciphertext c = (u,v) - £ pk (m;r) - (g r mo d p, h r m mod p). 
The decryption algorithm on a ciphertext c = (u ? v) returns m - D flk (c) - vu* mod p. 

Another variant of the MGamal cryptosystem uses the group ZS, where n = pq, and^q 
are large primes. The multiplicative group Z„ 2 * of elements computed modulo n 2 has 
order n*lem(p-l.q-l), an d the element (!+n) ha 5 ordern in jj . 

Here the key generation algorithm outputs two elements g,h of order lcm(p-l 5 q-l) s i.e., 

pk = (n,g,h) and the secret key is sk - x, such that h = g x mod n 2 : 

To encrypt a message m « Z n , the encryption algorithm picks a random r and computes 

ciphertext c = Ep fc (m;r) = (g r mod n 2 , h r (I+n) m mod n 2 ). 

On ciphertext c = (u,v) the decryption algorithm outputs m = D sfc (c) - ((vu* mo d n 2 ) - 
l)/n. 

Please note that EIGamal cryptosystems are examples of homomorphic systems, i.e., 
Ep^mj+ma^i+ri) = EpkCm, ;n) * Ep k (m 2 ;r 2 ). 

* 

Common for ElGamsl-styie cryptosystems is that we can secret share the secret key. 

This means that we can have several parties that each get a share of me secret key and 
only by cooperating can they perform the decrypts operation. Th is is important in 
voting, where we want to have strong security guarantees that no single patty is capable 
Of decrypting a ciphertext containing a voter's vote. 

There are several methods for doing this secret sharing; here we focus only on a simple 
hnear method. Let the secret key be x. We pick at random S,.. . . A such ft* x - * +. . .+ 
•» Give each party Sl ,...,S K the secret share s u . .., Sk? th ey now have a gharing of &e 
secret key, but no proper subset of the parties can compute the secret key. 



Ytttartrkfa, OWJMWINttMl S5X\GBP290155X Spec A Claims 7-4-04.doc v 



07 _ flPR _ 2 004 178 15 FROM MARKS & CLERK TD PAT OFF GB 



23 

As a step in decrypting the cipherteat c » (u,v) we want to compute u* (we will from 
now on not be explicit about the group we are working in, it can be modulo p, modulo 
n 2 ? or a completely different type of group, for instance one based on elliptic curves). 
The parties Si 9 -..,S a can cooperatively do so, They simply compute m = u sl ? . > - T u k = 
and publish their decryption shares . Now, anybody can compute vu* = v(ui * . * * *Ur) " , 
and from that extract the message. 

There is a problem though. Imagine a party Si cheats and supplies an incorrect 
decryption share. In flbat case, we may end up with believing that the plaintext is 
something completely different from the message that was actually encrypted. 
To solve this we let the key generation algorithm compute verification keys h x = 
g ?1 3 . . .,hk - and output these together with the public key. We now demand that each 
server Si makes a zero-knowledge proof that u$ has been computed with the same 
exponent Si as has been used to compute h>. We will explain the notion of zero- 
knowledge proofs later, for now let us say that ft proves the correct use of exponent sj, 
without revealing anything about si. 



We now describe commitments. 



In an example of a bit commitment protocol Alice chooses a bit and sends proof to Bob 
although, due to the character of the proof, Bob cannot tell what Alice's bit is until she 
tells him* Once she does, Bob can easily verify that she is telling the truth; a simple 
Case is a piece of paper in a locked box. 

A commitment scheme generally consists of three algorithms El, C, and V* 

* K is a key generation algorithm that outputs a public key pk. 

* C is a commitment algorithm* It takes as input the public key pk and a message 
m. It outputs a commitment c = C p ic(m), C is a randomised algorithm, and when 
needed we write the random bits used as r s and have c - C pk (m;r). 

* V is a verification algorithm that outputs accept or reject. It takes as input a 
public key pk> a commitment c y an opening (m,r). It outputs accept if and only if 
c = Cpk(m;r). 

VACarnbridseCasc5\PJM\aBP290355X\GBP29E)I55XSp6c Claims7-4-04.doc . . - ... 



07-GPR-2004 17*15 FROM MRRKB & CLERK 



TO PflT OFF GB 



P. 54 



24 



For the algorithms K, C, V to constitute a commitment scheme, we require that the 
commitment is hiding and binding. 

Hiding means that from a commitment c it must be infeasible to tell which message m is 
inside it. Hiding comes in two flavors, computational hiding and the stronger statistical 
hiding, A commitment is statistically hiding, when even given infinite computing power 
it is still impossible to tell anything about the message inside me commitment 
Binding means that it h impossible to find a commitment c and two different openings 
(m l3 ri) and (m 2 ,r 2 ) such that the verification algorithm will accept both openings. Also 
the binding property comes in two flavors, computational and statistical A commitment 
is statistically binding if even with mfmite computing power it is impossible to form 
commitment c that can be opened in two different ways. 



a 



From the cryptographic literature a commitment cannot beta be statistically hiding and 
statistically binding at the same time. It is possible to have commitments that are 
statisticallybmding and computationally hidmg r andm fact r rae ElQamal cryptosystems 
mentioned above are examples of such commiiments. m the following, we present three 
examples of me opposite case, namely statistically hiding and computationally binding 



e&mraitments. 



Consider again the group z,\ and the cyclic subgroup G q of order q. Let g,h be two 
randomly chosen generators for this group, i.e., < s > = < h > - Gq , ^ pubUc fcsy ^ 
by the key generation algorithm is pk = (q,p,g,h). 

To commit to a message m e Z q w e pick at ran3t)m r e Zq> md Jet ^ com1aitmem bg fl 
^gVmodp. 

An opening of the commitment c consists of (m,r), and V outputs accept if and only if m 
€Z i' re £q ? and c = g r h™ mod p. 



Another example of a commitment scheme is the following integer Commitment 
scheme. We us £ the g^up 2.*, where n = Pq is a product of two primes, such that p-l 

and q-1 do not have any small odd divisors. The key generation algorithm 

squares g,h in Z* at random. 

.Y.^brfdsc.CasesXPJMVOBPSSO [55X\GBP290155X Spec & Cfai ni5 7-4.04. 



nicks two 



doc 



07-APR-2004 17=15 FROM MARKS & CLERK 



TO PAT OFF GB 



P. 55 



2< i5 

To commit to an integer m, select r as a random 2|n|-bit number, where \xi\ denotes the 
number of bits in n a and compute the commitment c = C p ic(m;t) = gV* mod n. 
An opening of the commitment consists of (b.rrur) such that b is a square root of l a and 
c = bg r h m mod n. 

A third example of a commitment scheme is the following. We have some cyclic group 
G and select four random generators gi, ga, h u h 2 for it. The public key is pk (g ls g2 ? 
h], h2>v 

To commit to a message m e G, pick r 3 , r 2 at random and let the commitment be c = 
(u 3 v) = Cp^m;^) - (gi Tl g2 r2 ? h*%*m). 

The opening is (m ? ri,r 2 ) 9 the verification algorithm checks that c - (gi r3 g^ r2 ? hi rl h2 r2 m). 

An important property of all the above examples of commitment schemes is that they 
are homomorphic. Le T , CpkCmi+ma^^) = C^£mt;ri) * Cpk(m 2 ;r 2 X or if we prefer 
multiplicative notation for the latter commitment's message space, we have 

We can easily extend the commitments to commit to several values at once. Let th$ 
public key consist of g ? h ly , . ..,h n . Then we can commit to mi ? . . as c = jfht™ . . >hn mn . 

In an aspect of the invention we describe the following variation of an integer 
commitment scheme. 

Let n = pq be the product of two primes p and q. Let furthermore, p* 3 q ? be two primes 
dividing respectively p-1 arid q-t . Reasonable sizes at* |p|=[q|=800 hit^ where jpj 
denotes the number of bite in p 9 and |p*j-|q*|=l20 bits* Both p,q,p* and q* must be kept 
secret- Let furthermore, t be an integer such that t > |p*|+[q T j. For instance we could with 
the above parameters select t = 300, 

Pick at random g 9 h such that <g>^<h> are groups of order p a q\ 
The key generation algorithm outputs the public key pk = (n»g>h,t). 

Y:\Canibridge Casc5\PJMr\<5BP290l55X\GBP290155X Spec & Claims 7-4-04.daa 



-2B04 175 16 FROM MARKS & CLERK TO PRT OFF GB p. 56 



26 

To commit to an integer xn 5 pick at random r as a t-bit number. Compute the 
commitment c = C pk (mir) = g^modn. 

To open the commitment reveal &e opening (m,r), The verification algorithm on 
opening (m,r) checks that c « gh m mod n. 

Variations of the scheme: 

As mentioned before it is possible to make a variation of the Integer commitment 
scheme that allows for commitment to multiple integers at once. 
One can select p\q> such that they are composites. It is important, however* that they 
are selected such that it is hard to guess a number N such that p'JN or q 5 |K 

Note that we deliberately work in a moderately small subgroup of Z n * in order to gain 
better efficiency This has potential use in both voting protocols and many other 
cryptographic protocols. 

We now describe aero-knowledge proofs 

» - 

For example to prove a statement such as "I know a modular square root" the piover can 
give the square root to the verifier or provide a so-called zero-knowledge proof to 
convince the verifier that the statement is true without providing any information on the 
proof and thus keeping the square root secret. A zero-knowledge proof or zero- 
knowledge argument comprises an interactive protocol to be run between two parties (or 
in some cases more parties). We call them respectively the prover and the verifier. Both 
of them know some common input and now the prover wants to convince the verifier 
that x has some particular property, for instance that there exists a witness w such that 
(x,w) belongs to some NP-language. To do so, they exchange messages according to the 
zero-knowledge protocol, and m the end, the verifier decides whether to accept or reject 
the statement. 



We generally call such an interactive protocol a zero-knowledge argument if it has the 
following three properties 

Y;\Cambnd S e Cascs\PJM\GBP2$r0l55X\GBP290255X Spet & Claims 7-4-04.doc 



* . • *fc 1 



07-RPR-2E04 17=16 FROM MARKS & CLERK 



TO PAT OFF GB 



P. 57 



27 

* Completeness: If the prover knows a witness w for the property of x ? then he can 
make an honest verifier accept 

* Soundness: If the statement is false, i.e., no such w exists; any (possibly 
cheating) prover cannot make an honest verifier accept 

* Zero-knowledge: Any (possibly cheating) verifier doss not learn anything but 
the veracity of the statement from interacting with an honest proven 

There are many variations of how to define zero-knowledge proofs and arguments. 
Among them are non-interactive variants, where we instead assume a common 
reference string, chosen with some particular distribution, i$ available to both prover 
and verifier. Non-interactive ^ero-knowledge proofs and arguments are publicly 
verifiable. 

Another variation is honest verifier zero-knowledge, where the aero-knowledge 
property holds if the verifier follows the protocol, but may not hold if the verifier 
deviates from the protocol, A stronger version, of this is special honest verifier zero- 
knowledge, where the verifier's messages are public coin (i.e. 3 consists of uniformly 
random bits) and where it is possible to simulate the entire proof (without knowledge of 
the witness w) if we are given in advance the messages (challenges) that the verifier 
sends. 



A popular method for making a special honest verifier zero-knowledge proof non- 
interactive is the Fiat-Shamir heuristic. In the Fiat-Shamir heuristic, we compute the 
challenges as suitable hash- values. This means that we do not need a verifier to choose 
the challenges. Broadly speaking, m the so-called random oracle model, hash values of 
messages are considered to be uniformly distributed random number^ picked the first 
time a hash of a given message is computed. Since randomness of considerable size is 
contained in the relevant encryptions and commitments 3 messages sent from prover to 
verifier can be considered to be new each time and their hash values are thus uniformly 
distributed random numbers in the random oracle model. Since also challenges are 
uniformly distributed random numbers s the hash values can be used as challenges 
provided that the output from the hash function has the same size as the challenges. The 

V:\Cambridge Ca$^\PM\GBP2901 55X\GBP290T 55X Spec & Claims 7~4-04.doc . 



B7-APR-2004 17: IS FROM MARKS & CLERK 



TO POT OFF GB 



28 

non-interactive proof is thus as secure as the interactive protocol in the random oracle 
model. 



P. 58 




We now describe (decrypting) mix-nets embodying aspects of the present invention. 

Suppose we have a bunch of ciphertexts Cl - (u, s u 2 ) = E^m,),. . . ,c n = (u^) - fi^m*), 
We want to learn the messages m, 3 ...,m rt , but in a random order, we do not want 
anybody to be able to link messages and ciphertexts, 

A group of servers cooperating to do 50 is called a mix-net. Using ElGamal-encryptiou, 
we can construct a mix-net in a simple manner. Using the secret sharing described 
before the servers Si,. , .,S k each have a share s^, ^ of the secret key such that x = 

Server S t re-randomises and peels off the layer of encryption (in classical MIX nets, 
i^domness is refreshed forthe same cryptos^tera rather &an a Jayer of encryption 
being peeled off. For such MIX nets decryption takes place after mixing. The decisive 
property for MIX nets is that each server re-encrypts me messages in a way such that 
comparing input and output gives no information about the permutatiomised) 
corresponding to its own secret share, it re-randomises the ciphertexts and outputs them 
in a permuted order. Le., S, selects a permutation n, randomisers R u . . .,R„ and outputs 

(Ui-g* W V,= <h 2 *. . -h^y^ a^) (U^g*^, V„= (h 2 ^ .^v m u m 

* sl ). Here ntf) is the index that the i'th index is permuted into by tc. 

Server S 2 peels off another layer of the encryption corresponding to its secret share. La, 
if we call the output from S, (u,,v,X. . .(u^), then it selects a permutation it, 
randomness R t ,...,R ft and outputs (U^g^v V,= (h 2 *..^h !c ) Rl v s(1) u^- 1 ) 



1 



When the last server S fc peels off a layer of me encryption, men V,,.„ a V n constitute a 

pennutation of m„. . .,m„. More precisely, if we call the permutations selected by 

S„. ..,S k for 7c„. ..,7r fcj and let 7r{«) = *,(... (ix^)...), then we have V.-nw. v n=m , , 



■2B04 17! 15 FROM NARKS & CLERK 



TO PRT OFF GB 



29 

However, only if all servers cooperate will they know it and be able to link messages to 
their ciphertexts. Conversely, if just a single server is honest, then the permutation is 

Secret* 

■Mix-nets are useful in voting, since it allows encrypted votes to be decrypted and 
permuted. This way votes can be counted, but at the same time, nobody can link voters 
with their votes. 

We next describe shuffle-and-decrypt verification. 

The problem in the above mix-net is how to avoid that one of the servers replaces 
encrypted votes with ciphertexts containing false votes. One possible solution to this 
problem is to let each server make a zero -knowledge argument of correctness of the 
shuffle-and-decrypt operation it performs. 

Le-, call the input (ut,vO s .^(u n> v n ) and the output <Ui f V]),. ~,(U n ,V tt ), Furthermore, let 
g,h and H be public. 

The prover has private input n^RLi^ and s, such that h = and (Ui-g^u^i), Vi== 

V 

: ■■ i 
-- " 

e i_ 

An aspect of the invention provides the following method to demonstrate that indeed 
(uuvO^^Vn), (Ui ? VO,..(^V n ) s g,h,H is on the form described above, without 
revealing 7t f Ri s , , -,Rn and s. 

We need additional public data in form of public keys for three types of commitment 
schemes. We omit explicitly writing the public keys, and simply write respectively 
•mcora 7 commit, and COM for the three commitments. 

Multi-commitment mcom is used for committing to -multiple messages at once, in our 
case n messages. Furthermore^ it has a homomorphic property, I.e., 
mcom(mi-f-M] ? . - ^mn+M^rfR) =mcom(m 1 ,...,m tt ;r) * mcom(Mu.., s M n ;RX 

V:\Cambridgs Cases\PJMtfjBP290 155X\GBP2?0) 55X Spec & Claims 7-4-0+,doc 



07-PPR-2004 17117 FROM MARKS & CLERK TO PftT OFF GB 




30 

Commitment scheme commit is used for committing to a single element at a time. It too 
has a homomorphic property commit(m4-M;r^R) = commit(m;r) * commit(M;R). 

Finally, we use abase commitment scheme COM, where the homomorphic property is 
COM(mM;rfR ? s+S) - COM{m;i\s) * CQM(M;R,S). 

The protocol proceeds in 7 steps; 

1 . The prover picks r s at random and computes c g = mcom(7c(l) 5 . . . 9 7t(n):r g ). He 
sends c s to the verifier* 

2. The verifier picks at random U and sends them to the prover. 

3. The prover picks r t at random and computes Ci = mcom(t<i } , B . , ,t- rt) ;rt) s He sends 
c t to the verifier. 

4. The verifier picks at random X 3 x and sends them to the proven 

5. The prover computes the following: 

For j=l to n: aj = + ^i) - x) * ... * (tzQ) + XU G) ~ x). 
Picks di> . . ^d n and r d at random and sets Ca = mcom(di , . . . At r<f) 
Picks d at random and sets D - g d . 

Picks r i r n at random and computes d = coimnit(di;rj), c 2 = commit(d2ai ;r^), 

- c n = commit(d n a n _i;rn). Piqk;? r at random and sets c -» commit(0;r). 

Picks R at random and computes U = g R Ui' 3i * i .^U ri dn 5 V = (hH) R v, dli \ .-*V n dli 

0Ji dr *^.*U„ dn ) 9 and W = (Ui d1 *.. * U n drt ) a . 

Picks R v and R w at random and sets Cy = COM(V;R v ) and C w - COM(W;R w ). 
He sends c<j 7 D„ ci, c„ 5 c, U, C*,, C w to the verifier. 

6. The verifier picks at random e and sends them to the prover. 

7. The prover computes the following: 

fi = e(7i{i) + l^i) - x)+di 3 . . f n - e«n) + Jit^ - x)+d„, and zf - rs+3urt-frd, 

Z = R ~ eCR^Txd) + A-Vi)- x) + ... + R n «n) + ta^-x)), 
f - es+cL 

He sends f t t . ; .^zf^Z^Z* to the verifier. 
V:\Carnfrrici5e Cases\PJlVf\GBP2901 5SXWBP29Q155X Spee & Claims. 7 r 4-04.ddd 



07-APR-2004 17 M 7 FROM MARKS & CLERK 



TO PAT OFF GB 



P. 61 



f 



31 

The verifier accepts if all elements belong to the correct groups and have the correct 
size, and the following checks pass: 

Set c x = mcQmCs^^O) and check that mcom(fj ? ., r„f n ;zf) " O^t Cjf^Cd- 

Check that commit^ 4 * Weft- . .f n ;z) = cj 

k . - .u R 

Check that g^h^ 

Check that C0M«Vi o „ .V n fe ) c (U, fl , „U n Y^vi^ 1 " - .v^^Z*) - C v e C w . 



Check that * - . - *U n * = (ui mtl " x . - stf***fU. 



The protocol above is public coin, complete, sound and statistical honest verifier zero- 
knowledge. 

Using the Ftat-Sharair heuristic, i.e., computing the challenges t l9 « % ? x, s and. e as 
suitable cryptographic hashes makes the protocol non-interactive. This way it can also 
be made publicly verifiable. 

If the servers are to run the protocol interactively, then we note that [-GMY] suggest 
general techniques to transform honest verifier zero -knowledge proofs into zero- 
knowledge proofs. 

Using randomization it is possible to speed Up the verification process, see [DGS] and 
[BGR] for comments on batching techniques. It is furthermore well known that various 
techniques for fast multiple exponentiation exist. 
For instance we can pick y at random and check whether COM( 

(Vi n - . - V B *y(Ui fl . . ,U n ^(hH)^(Vi 1+Xt3 - x . , .v/^rV^i 1 ^ 1 ^^ . J** 1 *")" TO) - 
C V S C W . This saves n exponentiations, 

* - 

Efficient proofs for proving correctness of decryption are well known in the 
cryptographic literature. Likewise, many proofs of correctness of a shuffle exist 
[FS s G 9 NEF01,Npatent]. Embodiment? of our proposed shuf£le-and-decrypt proof are 
zero -knowledge and more efficient than previous proofs. Shuffle-and- decrypt proofs 
can be used in anonymization protocols; voting protocols is one particular instance of 
protocols where anonymis^tion is useful „ 

V:\Cambridgc Cases\PJM\GBP290l55X\GBP290155X Spct & Claims 7-4-04 T doc 



07-PFR-2004 172 17 FROM MARKS & CLERK 



TO PAT OFF GB 



r 



P.S2 




32 



We next describe optimized MIX nets. 

A traditional MIX net generally consists of a number of shuffle servers, each refreshing 
the randomness part of the encryption of encrypted votes, each permuting the votes and 
each producing a scro-knowledge proof that their output is a permutation and re- 
encryption of the input. In the final step the votes must be decrypted and zero- 
knowledge proofs must be included that the votes have been decrypted correctly, The 
correctness of the result of the election can be verified by an external audit facility, 
which verifies correctness of the counting by inspecting the input, output and zero- 
knowledge proofs of each server. 

Figure 1 shows a Mix net The S servers re-encrypt (refreshes randomness) and 
peimutes votes, whereas the S' server decrypts votes. All provide zero -knowledge 
proofs that they have done their tasks correctly. 

• . ...... 

It is not desirable that the private key used for decryption is in the possession of only 

one entity. Therefore S ? should consist of several entities, which secret-share the private 
key of the election, However this solution is impractical, 

As an example we take the [DGS] crypto system, that is EiGamal style. It is thus 
possible to share the secret key as explained above. 

We will arrange embodiments of our voting system such that each shuffle partially 
decrypts the votes using its share of the secret key. The final $$rver completes the 
decryption of the votes and produce zero-knowledge proofs of the correctness of the 
decryptions. In this way we will not need additional entities in order to perform the 
decryption securely. Two different types of embodiments using this type of encryption 
are possible. 



V:V^mbridge CaS5S\PM\CiBP290155X\GBP290 iSSX £pe* & Claim* 7-4-04,doc 



07-RPR-2004 17*17 FROM MARKS & CLERK 



TO PPT OFF GB 



P. S3 



33 

Embodiments where the shuffles perform zero-lcnowledge proofs of Hi© 
correctness of their actions and the cryptographic keys used for encrypting the 
input and the output are different. 

Embodiments where the verification of correctness of votes and the computation 
of the result is done out of band (e.g. using different servers) using 
homomorphic encryption properties. This is done in such a way that the shuffle 
servers do not produce zero-knowledge proofs. Instead a zero-knowledge proof 
of correctness of the vote is produced when the vote is created. These zero- 
knowledge proofs are verified by "NT-servers and the votes are counted on 
encrypted form using the homomorphic property. Finally the results of the 
election in individual districts but not the individual votes are decrypted using a 
secret sharing mechanism. We will provide an example embodiment of ow 
invention of this type, (In this case the rnaxirnal security is obtained with 3 
shuffle servers and a server for decrypting the result. Three servers need to 
cooperate to break the secrecy in this case, We do not consider this to be a large 
problem since three shuffle servers is the natural choice), 

1 

. i , 

A naive MIX net implementation is not very fast However, doing zero-knowledge' 
proofs out of band of Hie shuffles and using other, generic, optimisations, it is possible 
to increase the throughput dramatically. We list a number of optimisations: 

Partially decrypting in each shuffle and not providing zero-knowledge proofs 
gives a factor of about 3. 

Partial decryption and re-randomisation of votes can be parallelized arbitrarily. 
This gives an improvement of performance by a factor of 5-10. 
The order in which the servers process each vote need not be the same for all 
votes. For example if there are three servers performing re-encryption, the votes 
can be distributed in three pools depending on their election district (since the 
result will raonnally be specified out for election districts, permutations between 
election districts are not relevant) and the pools are rotated between the re- 
encrypting: servers until each vote has been once at each server. This gives a 

V:\Cambridgs Case2\PJM\GBP2?)015SX\GBP29ai55X Sp^ feCldms^-^doc ■ • 



07-F1PR-2004 175 IB FROM MARKS & CLERK TD PAT OFF GB 

c ' 

34 

factor of about 3 compared to naively letting the first server finish its work 
before the next server starts, 

If g is chosen m a subgroup of small order with elements that are 
indistinguishable from elements of the whole of Z n 2*, randomness and keys may be 
chosen shorter. Such optimisations are known for ElGamal over a prime and are also 

■ 

possible with ElGamal over a R$A modulus. It may give a factor 2-4 depending on the 
sfee of the RSA modulus of the crypto system. We thus describe a method of 
committing to an electronic data value, the method comprising selecting a substantially 
random number and a sub group of the multiplication group Z% of integers computed 
modulo n where n is a product of two primes for the electronic data value and/or said 
substantially random number and determining a commitment value from said electronic 
data value and said substantially random number using said subgroup 

All in all this means that detachment of identities from votes can be performed about 
45-90 times faster than for a naive MIX net implementation. The final decryption of 
votes can also be parallelized arbitrarily, 

■ 

We next describe attacks against the scheme, 

Jh order for a MIX net to have optimal security properties it is necessary that each 
shuffle server verify the zero-knowledge proofs of the predecessors before it performs 
its own MIX. As we have discussed this is not optimal with respect to perfonnance ? so 
it is fair to provide an account of the attacks made possible by not letting this 
verification take place. 

If we count the votes by an out of band method, we can be sure that it will be 
discovered if die result of the election is altered, hi one embodiment, we will provide, 
such a count is done securely using a homomorphic count. Thus we will have full 
security when it comes to making aure that the result of the election is correct. 

V:\Cambridge Cases\PJM\GBP290155X\GBP290 155X Spec & Claims 



07-APR-2004 17: IB FROM MARKS & CLERK 



TO FAT OFF GB P-S5 




35 

However, some attacks against the secrecy of the election are possible. Since the crypto- 
system is homomorphic, the first S server can add numbers to votes and it can multiply 
the votes by a constant factor. This can normally be done in a way such that the vote as 
wen as the number added can be separated from each other when the vote is decrypted. 
We will say that the encrypted votes are marked. Depending on which servers the first S 
server cooperates with different properties of the attack are possible. 

If the first S server acts alone, the decrypting server will discover the fraud but 
also be presented for the association between identities of voters and votes cast. 
If the decrypting server is honest, not compromised and checks whether votes 
are correctly formatted before they are published, the anonymity of the election 
will not be broken. Further, the fraud will be detected and a delayed count can 
take place with the first S server replaced. 

If the first S server and the decrypting server work together, they will together 
be able to break the secrecy of die election completely. Because of the zero- 
knowledge proofs of correct decryption of votes, the fraud will be detected. 
If the first S server and the decrypting server work together with all external 
audit facilities used, the abovementioned fraud need not be detected. (The 
decrypting server can in this case clean the votes before it publishes them and 
provide wrong zero-knowledge proofs that the audit facilities will let through 

undetected.) 

If the first S server and the decrypting server work together with the last S 
server, they will be able to break the secrecy together without being detected. 
(The decrypting server decrypts votes, sends them back to the last S server, 
which cleans its encrypted output for the marks and submits a new, correct 
output.) 



The basic properties are that two servers need to cooperate in order to break the secrecy, 
while accepting that their fraud will be detected. Three entities need to work together in 
order to break the secrecy without being detected. This can be improved on slightly by 
letting either the first or the last S server carry out a shuffle proof. 

V:\Cauflbridge Csls«s&\PJM\GBP20G IS5XVGBP290155X Spec & Claims 7-4-04.doc . 



r 



0100309 



07 



t -„ i o o * » » « ■■ - ■■ j * * * - - • - i 



07-APR-2004 17: IB FROM MARKS 8, CLERK ' JO RflT OFF GB 

C; ' 

36 

hi the case, where we have two S servers and one decrypting server we see that there is 
no real loss of security. The two S servers could anyway break the secrecy by 
interchanging permutations. The first attack also has the equivalent that one of the S 
server submits its permutation in clear text to the other S server. The other S server will 
of course detect and will (unwillingly) be able to break the secrecy. 

We next describe write-in candidates. ' - 

In the US and some other countries it is common to use write-in candidates. That means 
that it is possible to vote for a candidate not on the list. This cannot b© ignored for 
embodiments of systems to be applied in practice. 

MIX nets can handle write-in candidates without problems, whereas 'homomorphic 
encryption can't deal with write-in candidates, Below we describe how homomorphic 
'encryption' can however be used to prove that a list of write-in candidates is correct. 
First we give some ^background on commitment systems: 

i 

A verification system is a computationally hiding commitment system that is further 
supplied with a private key that breaks the computationally hiding property without 
breaking the commitment system properties. That means that a person in possession of a 
secret key X for the verification system will be able to verify a claim that a given 
commitment contains a given message without being provided with an opening of the 
commitment However, knowledge of X will not provide any knowledge at all about the 
Cipher-test space of the commitment system. In particular, the cipher-text space 
Observed by a person with knowledge of X may appear to be an infinitely large space 
like Z just as if the person had not been in possession of X. 

A homomorphic verification system is a verification system for which the underlying 
commitment system is homomorphic. 



VACarabridge Ca5Ss\PJM\GBP^0l55XVGBP290!55X Spec & Claims 



p;i QQ5Q9 m-m^^mm 



P.GS 




07-APR-2004 17=19 FROM -MARKS & CLERK 



TD PPT OFF GB 



P. 67 



37 

Example: Consider Z fi , where n is an RSA modulus with unknown factorisation. Pick 
generators f and h of Z n *- and set g - f* for a randomly chosen X, We define the 
BIGamal style homoxnorphic system 

V<m;r) = (f 5 h in g r ) 

Then Visa homomorphic commitment system and X is the secret key that breaks the 
computationally hiding property. 

Please notice that V is not a crypto system. The discrete logarithm in cannot he 

computed efficiently, so decryption is impossible if n is a large RSA modulus, In fact, if 
decryption were possible in general, the real message space would be known, which 
would imply breaking the RSA modulus, which is clearly not possible from the 
information given. Also in this way we see that the message space is Z, so the basic 
properties of the commitment systems are preserved. However notice that the 

commitment system is ^ rather than statisticaliyjnding 

because it i$ possible to compute X for a computer with unlimited computing power, 

In short we observe that this system has the property that the message space is all o£Z ? 
that the system is computationally hiding for an adversary without knowledge of the 
secret key, but entities with knowledge of the secret key are able to verify a claim 
efficiently that a commitment is a commitment to a particular value. Further, the private 
key can be secret shared like for other BIGamal style systems. 

We remark that cryptographic primitives with the same properties as verification 
systems but without the homomorphic property are easy to construct from standard 
cryptographic primitives. For example one can take a hash function H with 16 byte 
output, consider the hash value H(m) as an AES key, use this key to encrypt a fixed 
value and finally encrypting the result using a public RSA key. This primitive allows 
persons in possession of the corresponding private S.SA key to verify whether it was 
computed on a fixed value whereas it is computationally hiding for persons not in 

V:\CambridgeCases\FJM\GBP290 1 55 X\GBP290155X Spec & Claims 7-4-04.doc . - . 



07-RPR-2004 I? s 19 FROM MARKS & CLERK 



TO PPT OFF GB 



38 

possession of the private key- Such a primitive could for example be used for time- 
stamping systems that allow only particular entities to verify time-stamps. 



P. SB 




One novel aspect of embodiments of our invention of homomorphic verification 
systems is therefor© the ability to verily several claims in one combined operation while 
keeping -some properties of the individual claims secret In the novel applications for 
voting systems we shall see, it will be the origin of the individual messages. 



In an aspect of the invention use of homomorphic verification systems for verifying that 
messages m i^m k are authentic without revealing their origin in the following way: 
The entities {EjJ producing the messages each choose large random numbers e j? and 
p j- They submit m }9 V(e jf rj) anonymously to one entity (entity A) and V(iiij| pj) to 
another entity (entity B) in such a way that it is properly authenticated. The authenticity 
of the {mj} is verified by having entity B submitting II V(ej, •r i ) In ' J to entity A, which 
computes C = H V(m j e if , p j)" 1 Y(e Js r,) m j . Finally a trusted entity, which knows X, 
verifies that C is a commitment to zero. 

Let E denote a homomoiphic crypto system. The implementation in the context of a 
voting system can be done as follows (for simplicity we use V as commitment system 
also, in practice some commitments would be done in a simpler system, which is 
preferably statistically hiding): 

Let v be the vote, v=2Sj MP. Some indices j represent write-in votes, whereas 
others represent candidate or list votes, M = p\ where p is a prime. M is strictly 
larger than the number of votes any candidate can get. In particular, for elections 
where each voter has a single vote, M is strictly larger than the number of voters, 
(See [DGS], [KFOJ])* 

Submit E(v), V(25j p J ) together with a non-interactive zero-knowledge proof of 
equivalence between, the two and a non-interactive zero-knowledge proof that 
the vote conforms with the rales of the election (see [DGS], [DJ01]). 
- . Let m be a write-in vote corresponding to index k, (For example m = "Tom 

Jones" if the voter wants to vote for a person called Tom Jones that is not on the 

V:\Carnbridge Cases\PJM^GBP29()i55X\GeF290 1 SSX Spec & Claims 7-4-04.doc 

■ » * » * - • . . . _ 



07-APR-2004 17:19 FROM MARKS 8, CLERK 



TO PflT OFF GB 



P.S9 



39 

list. If a list candidate is selected instead, m should instead be a numeric zero, or 
another fixed value). Submit E(m), V(it>) together with a non-interactive zero- 
knowledge proof of equivalence of E(m> and V(m) and a non-interactive zero- 
knowledge proof that either m=0 or S k = 1. (This can fee done by decomposing 
V(SSj p*) into two commitments v, - V(S U p k ) and v 2 =V(Sj ?fe oj jft, proving 
that either Vi or VC-p 1 *) vi a commitment to zero and proving that the content 
of either V(m) or V(-p k ) Vi is a commitment to zero. Such proofs are standard.) 
Pick a random number e ra and submit V(e ni ) and V(me m ) together with a 
multiplication proof that the content of V{me^ is the product of the content of 
V(e„,) and V(m). 

Sign the entire vote including all proofs. 

Notice that the number e m will never become known to anybody since no encryption, of 
it is submitted. 

Now say that we count the votes by using the homomorphic property and decrypt the 
result. By using the homomorphic property we get the encryption: 



Vj = V<S me™) - n V(me m ). 



If we also use a 'MIX net\ we get the individual numbers m md V(e m ) coupled in pairs 
but detached from the identities of the voters. Thus we may compute 

V 2 - V(S mem) = n V(e m ) m , 

Using the secret key X, secret shared "between the same persons that share the private 
key for the crypto system (homomorphic sharing, not the sharing between 'MIX 3 fltft 
servers), we can check that V x and V z have the same content. If the e m were chosen 

large and random, there is in practice no way to fake this. 

i- 

In an aspect of the invention we use the above mechamsm to check the write-in votes 
coming out from a MIX net. 

V:\CBmbridge Cz$es\PJM\CBP2$Ql5SX\GBP29d1S5X Spec & Claims 7-d-0&doc 



4 




40 



In an aspect of the invention we also use the above mechanism in the way that all votes 
are treated as witten-in votes, Le, instead of zero-knowledge proofs of correctness of 
normal votes one uses this mechanism. 

* - • 

In an aspect of the invention we also use the above mechanism for verifying correctness 
of encrypted information linking electronic ballots to paper ballots, (The information 
linking electronic votes to paper voters takes the role of m. This is similar to above 
except that in this case there need be no proof linking m to an ordinary vote.) 

We next outline attacks against the scheme. 

If the machines from where voters vote leak the e*it maybe possible for the last shuffle 
server and the decrypting server together to produce different m ? s. Notice however that 
this requires three cooperating entities and will with a high probability be detected by 
the tests against paper ballots in our invention, 

1 * * *. «. _ w 

* *» , , r * . 

Also some attacks against the secrecy of the election are possible. The first S server can 
replace E(mi) and V(ei) in some ways: 

Replaced by E(mi) 1/S ™ d ■ and V(C|) 2 or by higher powers of 14 and 2. If write-in 
votes are published no matter whether they make sense or not, or if the first S 
server works together with the decryption server, this can be used to check what 
, individual voters voted. This will be detected unless further the last S server is 
also involved in the fraud 

Replaced by E(mi) 2 E(-raui) and V(ej). This can be done and will pass all tests 

provided that the first S server correctly guesses the content of each vote it 
tampers with. 

The last attack is potentially rather Seiious because the first S server can be buying votes 
. and use it for verifying that the vote-sellers deliver. Consequently, as long as vote- 
sellers are honest this vote buying will not be detected. However, if a vote-seller does " 

* 

V;\Catribridge Case*\PJM\GBP290 1 55X\GBP29D 1 55X Spec Sl Claims 7-4-04.doc 



B7-RPR-2004 1 7 : 2B 



FROM MRRKS & CLERK 



TO PPT OFF GB 



P. 71 



41 

not deliver, the fraud will be detected. This attack (and similar ones with different 
powers than 2) can be made infeasible by including a few random bits in each vote at a 
specific location. 

Again we conclude that whereas this is not quite as secure as a MIX net where all - 
shufiie-proofs of predecessors are verified before the next shuffle server starts, attacks 
against the integrity of the election require three cooperating entities and will be 
detected with a high probability whereas attacks against the secrecy of the election with 
potential for not being discovered require at least two cooperating entities if the votes 
are enhanced with a few random bits. 

We now describe signing votes. 

We first remark that embodiments of the inventions claimed are possible without using 
digital signatures. Nevertheless it is preferable that encrypted votes are digitally signed 
such that there is 1 00% accountability about exactly where each electronic vote came 
from. Some pilot systems have attempted to use chip cards for that purpose, but face the ■ 
difficulty that chip cards are expensive and that chip cards with signing keys are not 
widespread. The Cybervote project is an example, DUE systems also use chip cards, 
but in a different way that is not related to digital signatures and does not provide the 
aceouiitability we are discussing. 

Alternatives to using a portable device like a chip card to store the private keys of the 
voter on are not store the private key; or store the private key in a non-portable device. 

The first option is taken in the e-Vote project, where the Internet-voting pilot system 
works in the way that a public/private key pair is generated in an applet rutming on the 
computer of she voter, A certificate on the public key is then issued on the fly based on 
credentials that the voter receives by mail such that the vote can be properly signed. 
Depending on the procedure? applied for distributing the credentials and the properties, 
configuration and operation of the on-line CA> this may be a legally binding signature. 
By using this mechanism the e-Vote system is optimal in the sense that it uses the 

VACambridge C&SK\PJM\GBP290 1 $5X\GB?29Q ] 5SX Spec & Claims 7-4-04.doc 




42 



simplest and cheapest possible mechanism for creating legally binding signatures on 
encrypted electronic votes; 

For an e-voting system that takes place at election sites it is however unacceptable that 
the devices used for casting votes store the private key of the voter (-when &I$«x, 
supposedly, only for a short time) T The remaining option, is thus to store the private key 
in another, non-portable device. Such a device - which we call the Signer - is described 
in our patent application PCT/GBG2/03707, WO03/015370, hereby incorporated in its 
entirety by reference. The Signer can then be operated at central locations different from 
election sites. Digital signatures are produced by the Signer on the basis of credentials 
provided by the voters, and each digital signature is logged by the Signer. 

It is strongly preferable that two-factor authentication is used for voting. We preserve 
the option that the voter receives both factors in one letter. This is not nsaiiy a problem 
since the identity of the voter can be checked when giving off the first factor (with the 
same level of scrutiny that is used for manual elections, that differs a lot from country to 
. , . , country). The central point is that vote buying must be prevented by having a public and 
a private authentication factor. One factor is preferably used in the public sphere, such 
that vote buying by buying credentials can bs prevented. The other factor is used in 
privacy when the vote is cast such that accountability is assured. The Signer is designed 

* 

to deal with two-factor authentication in a highly secure and tamper resistant way since 
it is distributed in two servers that each .know of one factor of the authentication. 

We conclude-that circumstance dictate the Signer approach to be the preferced solution, ~, 
both cost-effrcient and secure to use. However, if the Signer is used it is sufficient that 
eaoh voter receives a voter card by mail as usual with two authentication factors printed 
on it in order to produce digital signatures- 
Use of the Signer preferably requires the e-Voting system to be on-line. However the 
security (at least security against undesir**} influence on the outcome of elections) does 
not rely on confidence in the device used for casting votes and printed ballots may serve 
as backup in case of lacking on-line availability (i.e. a manual count). 

V:\Cambridse Cases\PJM\GBP2SUI55X\GBP290 i SSX Spec & Claims 7-4-Q4.doc 



07-APR-2004 17:20 FROM MARKS & CLERK 



TO PRT OFF GB 



P. 73 




43 



We next describe some example embodiments. 



First we give two examples of how to encrypt information linking electronic and paper 
ballots " 

1) Enlarge homomotphtcally encrypted votes (like the cryptosystems in [DJ] or 
[DGS]) such that the plain-text space is Zns+l instead of ZnS and the cipher space 
is correspondingly ZnS+2 instead of Z*s+1 .Represent (vote, manual ballot) as vote 
+ n 5 (manual ballot). Project the encrypted vote on ZnS+i before doing the zero- 
knowledge proof of correctness of the vote (this corresponds to removing the 
term n s (manual ballot) in the plain text space). See [DJQl], hereby incorporated 
by reference, for further details about how this machinery works, 

2) Combine two homomorphic encryption keys to produce a key with the product 
cipher space and cleartext space. We let the orders of clear-text spaces and 
ciphertext spaces be mutually prime for letting the product space have similar 
properties to the component spaces. Do homomorphio encryption proofs in the 
vote space only, but do the MIX net proof in the product space (if a MIX net 
proof is done). 

We describe a realisation below that is as simple as possible. This system is an example 
of a traditional MIX net system enhanced with additional information linking electronic 
ballots and paper ballots: 



(V 



■v- 

s 



Referring to Figure 2 we describe the individual components: 

♦ 

The "Registration Facility 4 * is a public sector system for keeping track on the 
eligible voters* The registration facility interfaces with the Signs* for registering 
voters for the system. 
- The Signer is the signature server referred to above, which is used for keeping 
track on voter credentials and voter identities in the voting system and for 

signing electronic votes. When voters are registered on the Signer, the Signer 

< 

V:\Cambfidge Cases\PJM\GBP2901 55 X:\GBP290155X Spec & Claims 7 -4-04, doc 



« » » »_ : > » ■■ <■ » a j a I 




44 



registers them at & CA for certification, The Signer ftirther sends credentials to 
the voters and makes available functions for disabling voters who cease to be 
eligible or loose their credentials, 
The CA issues certificates on voters. 

The "Enter Voting Site Application" accepts one credential from the voter, 
which is provided in public* In this way it is prevented that voters can buy 
credentials and bring more credentials with them into the place where votes are 
east. A manual check of the voter identity is earned out when the "Enter Voting 
Site Application 5 * is used- The "Enter Voting Site Application" is also 
responsible for handling and logging most exceptions to the normal flow of 
events (examples: A voter identifies himself but has lost his credentials. A voter 
loses Ms second piece of authentication inside the voting site, A voter changes 
his mind before submitting the paper ballot but after having submitted the 
electronic ballot). There are many routine ways of handling such exceptions. 
The "Voting Application" is the application/machine used for casting votes. This 
can for example be a touch screen machines If write-in votes are possible, art 
equivalent of a keyboard should be available for entering the name and possible . 
more information on the write-in candidate. The voter selects his choices and 
gives off his second credential that is used for having the Signer signing the 
vote. As a result an electronic ballot and a paper ballot are created^ The linking 
information can, for example, be created by the Voting Application as an 
identifier of the election district followed by random numbers generated at the 
time of voting. It can, for example, be included in the electronic vote in the way 
described above and it can for example be represented in bar code on the 
backside of the printed ballot The electronic vote is sent on-line to a collection 
point, whereas the voter carries the manual vote out in the public sphere, where 
he enters it into a traditional ballot box. 

The -Local Check Program" is a program used for checking Hie votes after the 
election is finished. (Scanning of information linking paper ballots to electronic 
ballots* checking correspondence by carrying out an interactive protocol with the 

to 

on-line election result entity with information on electronic ballots, checking 
that the number of paper ballots equals the number of electronic ballots and 

V:\Cmnbridge CasesM>JM\GBP290 1 55X\GBP290 3 SSX Spec & Claims 7-4-04,doc 



I 



07-RPR-2004 17:21 FROM MARKS & CLERK 



TO PflT OFF GB 



P. 75 



45 

checking a selected number of ballots, in embodiments less than 200, with the 
corresponding electronic ballot, again by carrying out an interactive protocol 
with the "On-line Election Result" entity.) 

The ''Collection Point" is a server, which collects votes from at least one district 
and checks syntax and digital signatures on the votes. 
The S servers are servers holding a share of the private keys of the election. 
They partially decrypt and permute votes and generate a non-interactive zero- 
knowledge proof that they have dona the job correctly- 
The S' server performs the last part of the decryption and provides a non- 
interactive zero-knowledge proof of directness of the decryption of each 
individual vote. 

The "Key Generation Application" is a» off-line application operated under 
particularly stringent security measures used prior to the election for generating 
key pairs of the election (crypto system, commitment system). The public keys 
and private key parts are distributed to the relevant entities. Notice that the S 
servers should be operated by different organizations/persons in order to ensure 
secrecy of votes. 

Referring to Figure 3 we describe a realisation below that is optimised for performance 
and security in the sense that performance-demanding generation of zero-knowledge 
proofs is done at the election sites and verification is scalable, such that all £ero- 

knowledge proofs can be verified before the result is published. 
We briefly describe the individual components: 

The registration facility is a public sector system for keeping track on the 
eligible voters. The registration facility interfaces with the Signer for registering 
voters for the system. 

The Signer is the signature server referred to above, which is used for keeping 
track on voter credentials and voter identities in the voting system and for 
signing electronic votes, When voters are registered on the Signer, the Signer 
registers them at a CA for certification. The Signer further sends credentials to 

V:\CambrIdge Cases\PJ MXGBP 2fKU 5SX\GB ?290\ 55X Spes & Claims 7-<l-G4.doc - 



J37-PPR-2004 17:21 FROM MARKS &' CLERK TO PflT OFF GB P.7G 

/' ■ 

t , ■ 

46 

the voters and makes available functions for disabling voters who cease to be 
eligible or loo se their credentials . 
The CA issues certificates on voters. 

The "Enter Voting Site Application" accepts one credential from the voter, 
which is provided in public. In this way it is prevented that voters can "buy 
Credentials and bring more credentials with them into the place where votes axe 
cast A manual check of the voter identity is earned out when the "Enter Voting 
Site Application" is used, The "Enter Voting Site Application" is also 
responsible for handling and logging most exceptions to the normal flow of 
events (examples: A voter identifies himself but has lost his credentials. A voter 
looses his second piece of authentication inside the voting site. A voter changes 
his mind before submitting the paper ballot but after having submitted the 
electronic ballot). 

The "Voting Application" is the application/machine used for casting votes. This 
can for example be a touch screen machine. The voter selects Ms choices and 
gives_offhis.second^ of a 

keyboard should be available for enteringthe name and possible more 

information on the write-in candidate. As a result an electronic and a paper 
ballot are created. The linking information can for example be created by the 
Voting Application as an identifier of the election district followed by random 
number generated at the time of voting. It can for example be included in the 
electronic vote in the way described above and it can for example be represented 
in bar code on the backside of the printed ballot A non-interactive zero- 
knowledge proof of correctness of the electronic vote is attached to the 
electronic vote* The electronic vote is signed by the Signer mivg the second 
credential of the voter* The electronic vote is sent on-line to a collection point, 
whereas the voter carries the manual vote out in the public sphere, where he 
enters it into a traditional ballot box. 

The "Local Check Program" is a program used for checking the votes after the 
election is finished. (Scanning of information linking paper ballots to electronic 
ballots, checking correspondence by carrying out an interactive protocol with the 
on-line election result entity with information on electronic ballots, checking 

, V:\Canitaidge Cases\PJM\GBP2$0l 55XV3BP290155X Spec & aaims.7-4-04.doc 



07-APR-2004 17 J 22 FROM MARKS & CLERK 



TO FAT OFF GB 



P. 77 




47 

T 

thai the number of paper ballots equals the number of electronic ballots and 
checking a selected number of ballots, presumably less than 200 ? with the 
corresponding electronic ballot, again by carrying out an interactive protocol 
with the "On-line Election Result" entity.) 

The "Collection Point" is a server, which collects votes from at least one district 

and checks syntax and digital signatures on the votes. 

The S servers ate servers holding a share of the private keys of the election. 

They re-encrypt and permute votes (zer o-knowledge proofs and the signature are 

removed). 

The S* server performs the last part of the decryption and provides a proof of 
correctness of the decryption of each individual vote. 
The "Key Generation Application" is an off-line application operated under 
particularly stringent security measures used prior to the election for generating 
Key pairs of the election (homomorphic crypto system, homomorphic 
commitment system and homomorphic verification system), The public keys 
amid private key parts (secret shared in two different ways) are distributed to the 
relevant entities. Notice that the S servers should be operated by different 
organizations/persons in order to ensure secrecy of votes. 
The: V servers are used for verifying zero-knowledge proofs on the individual 
votes. Notice that the scheme for write-in candidates, where also list votes are 
checked using a verification system, allows for no V servers. This however has 
the disadvantage (as in all schemes involving depersonalization of votes only) 
that votes filled in ways that should not be allowed by the software of the Voting 
Application cannot be traced back to their origin. With V servers in place votes 
with invalid gero-knowledge proofs can be linked to the identity of the voter. 
Therefore there is a significant role to play for V-servers, 
The "Homomorphic Count" is a server where votes with valid zeto-knowledge 
proofs are counted on encrypted form using the homomorphic property without 
decrypting individual votes. Further, write-in votes and the electronic version of 
the information linking electronic and paper ballots can be taken in to do a foil 
verification, la an iiitexaction with a trusted group of people e&ch holding a 
secret share of the private keys of the election* the result of the election is 



V:\Cambridge Oases\PJM\OBP290J55X\QBJE?290155X Spec & Claim* 7-4-04.doc 



07-APR-2004 1?:22 FROM MftRKS & CLERK TO PftT OFF GB 

( 

48 

decrypted, A complete audit trail with zero-knowledge proofs that $voryttxiTXg 
has been done correctly is produced and stored/exported for external audit. 
The TS servers are threshold servers* applications that allow the key share 
holders to use their key shares for decrypting the result of the election* 
The "External Audit Facility" is a facility that checks that the steps carried out 
by the V servers and the homomorphic count were performed correctly. 

Please notice that not all relevant arrows are included in the drawing. For example 
arrows with origin at the key generation server have been Left out for simplicity 
Further, feed-back is helpful in a number of situations in order to deal with error and 
fraud situations. For example feed-back from the V-servers to the collection point is 
preferable in the case, where there are votes with valid content but invalid zero- 
knowledge proofs. 

The invention also provides, in a further aspect of a special variant of a user interface to 
the local check program. An embodiment of this is described below: 

The container for collecting ballots is separated into two or more physical 
containers. 

When the voter wants to submit his vote he physically interacts with the device 
resulting in the device bringing itself in a mode, where it is possible for the voter 
to enter his ballot in at least one of the containers but not both/all. 
The ballots entered into one/some of the containers will be subjected to checks 
against the electronic ballots, possibly different types of checks depending on 
Sie container, whereas the ballots entered mto (the) other container^) wilt not be 
checked against electronic ballots. 

Figure 4 shows a device for selecting ballots to be checked. A more sophisticated 
version of such a device is also possible. In addition to a button to press for entering a 
ballot a scanner is available. The procedure is as follows: 

- The voter presses the button (or in another way makes aware that the device must 
make its choice). 

■ V:\Cambridg6 C^^^^ _ 



07-APR-2004 17=22 FROM MARKS & CLERK 



TD PAT OFF GB 



P. 79 



49 

- The device indicates which slot will be opened, for example by lighting up the slot to 
be opened. 

- The voter uses a scanning device to scan the information on his ballot linking it to an 

■ 

electronic ballot. 

- The device opens the slot indicated. 

- The voter enters his vote. 

In this way the manual ballots will all be processed during the election with exception 
of the reading of the content of ballots to be checked. This simplifies the step after the 
election is over to actually enter the content of the ballots to be checked. 

The two steps, first pressing the button, only then scanning fiie ballot, are there to 
ensure that it Will be substantially impossible for Hie electronic voting system to signal 
to the device in a reliable way, which ballots shall not be checked. 

Figure 5 shows a device for select big ballots to be checked with scanner, in order to 
apply this scheme it is preferable to form the ballots in a way such that the infotmatiofl 
linking them to electronic ballots can be scanned without revealing the content of the , • * ■ 
ballot. This can be done by having the information linking (be physical and electronic 
ballots written on the backside of the physical ballots near the top or the bottom of the ? 
ballot. 

Figure 6 shows a ballot with scannable text field. 

Figure 7 illustrates the information that can be contained in a paper ballot and in the 
corresponding electronic vote. The shaded area is the part of the electronic vote that is 
encrypted. 

Figure S illustrates how the encrypted content, but not the digital signatures and zero- 
knowledge proofs may be homomorphically counted on encrypted form to deliver an 
encrypted result in a homomoiphic count. 

... vaCatsbridgs CBses\PJM\OBP290tS5X\QBP290)55X Spec.&Oairt« 7-4^oc • • — — - ■ - 



07-APR-2004 17 = 22 FROM MRRKS & CLERK TO PAT OFF GB p. 80 



50 

Figure 9 illustrates how a shuffle changes the encryption and the ordering of electronic' 
votes and produces a zero-knowledge proof of the correctness of its actions. 

In embodiments where electronic votes rather than printed ballots are sampled* we 
' propose that the "On-line Election Result 3 ' component or a component with access to 
the information provided by the "On- line Election Result" component selects the 

sample. The election districts with samples to check axe then informed and must now 

-i 

count their printed ballots^ find the printed ballots corresponding to electronic ballots 
and verify that the selection of candidates on the manual ballots is the same as in the 
electronic ones, Comprehensive procedures and protocols that can be a combination of 
manual steps and cryptographic protection in the communication between the election 
district and the entity selecting the samples are preferably employed in order to make 
sure that the information communicated correctly reflects the uiformation contained in 
electronic and printed ballots. It is also possible that a person from the organisation 
selecting the samples will be personally present in the individual election districts to 
mspect printed ballots directly or that printed.ballots.oorresponding to electronic votes 
sampled or all printed ballots in the district are submitted ibr independent audit. 

When the election is over many options are available for verification and fine counting, 
providing fnjl accountability of the system: 

1} Verifying correctness of the verification and counting by an independent 

organisation using independent software. This is standard universal verifiability 
carried out at the "External Audit Facility". 

2} Verifying the Signer log against the votes. In particular verifying that there is no 
systematic double signing, Voters who have signed more than once can be 
double-checked for, whether they got the permission (log from "Entry Election 
Application"). 

3) Selecting an adequate number of randomly chosen depersonalised votes for the 
- whole country (a predetermined number, for example about 4$9 (or more) in our 
proposed solution). Do a test that each of those votes corresponds to a manual 
vote by a manual procedure hi election districts. 

•— -^Cambridge CasesWMXGBFZdOlSSX^BP^gOJiSX Spec & Claim* 70-(Kdoc .... ... 



07-RPR-2004 17 = 23 



FROM MARKS & CLERK 



TO PftT OFF GB 



P„81 



51 

4) For each district, selecting an adequate number of randomly chosen votes (a 
predetermined number, for example about 194 in our proposed solution). Do a 
test that each of those votes corresponds to a manual vote by a manual procedure 
in election districts, in contrary to 3), this work can be distributed over months 
(however, in the example embodiments given, it is done just after the election or 
even in parts during the election). 

If 1>4) are all successful and no other factors indicate that there is increased risk that 
this election has been tampered with, it will be natural to stop here. If however, one of 
the tests is not successful, a number of steps can be taken* 

5) Electronic logs from voting sites can be compared to central logs from the 
Signer and the counting facilities. The result of this comparison may give an 
indication about, in which parts of the country a closer investigation shall take 
place, 

6) Selected or all districts can perform a manual recount 

7) Selected or all districts can perform an extended manual recount involving the 
following: All electronic votes cast in the district are depersonalised in a MIX 
rtet Each electronic vote is matched with a printed ballot. 

8) In districts where the abovementioned pairing of electronic and manual votes 
cannot be performed with sufficient success, a new election may be called for. 

9) It is also possible with the help of highly trusted persons holding shares of the 
key used for decrypting the result of the election, to call in voters and have their 
votes decrypted such that they can judge about, whether fraud has taken place in 
the manual or the electronic system. 

We observe that with the embodiments of the system proposed, benefits of several kinds 
can be achieved: 

Cost savings; For elections carried out in an orderly fashion* costs for counting 
can be limited significantly by having few locations, where counting takes place 
and counting votes almost 100% electronically. 



07-APR-2004 175 23- FROM MARKS & CLERK 



TO PRT OFF GB 



P.B2 



52 

Increased services to voters: If the system is designed to do so, voting from 
arbitrary voting sites for each voter is possible because everything is electronic, 
Security; If the result of an election is disputed, there is much better accounting 
that in & manual election because the printed ballots can be compared to the 
electronic ones to establish which ballots have been tampered with. 

Not all embodiments are optimal on each individual category, for example Internet- 
voting systems without security features build m optimise the first two while completely 
sacrificing the third. However, we describe a good compromise and leave a lot of room 
for election organisers to select just the solution that meets their requirements optimally. 
For example the scheme described is compatible with having Internet-voting also for 
selected categories of voters, like voters living abroad. 

No doubt many effective alternatives will occur to the skilled person. It will be 
understood that the invention is not limited to the described embodiments and . 
encompasses mod^^S^^PPJa^ to those skilled in the art lying within the spirit and 
scope of the claims appended hereto. 




^Cambridge Cases\PJM\QBP390.155X\GBP.2SO!55X Spot ^Claims t-teteAat 



■■l * * I** 4 



07-PPR-2004 17^23 FROM MARKS & CLERK 



TO PAT OFF GB 



P. 83 



53 

CLAIMS: 

L An electronic voting system, the system comprising: 

a voting device configured to generate, in response to a voter selection for each 
of a plurality of voters an encrypted electronic ballot and a printed ballot, both having 
voter selection data indicating a said voter's choice, said electronic ballot including 
information to link it to said printed ballot and said printed ballot including information 
to link it to said electronic ballot; 

an electronic vote decryption system configured to receive electronic ballots 
from said voting device and to decrypt said encrypted electronic ballots including said 

linking information; and 

a voting verification system configured to receive decrypted voter selection data 
and linking information from said vote decryption system, to receive voter selection 
data and linking information from said printed ballots and to compare voters choices for 
a sample of said printed and electronic ballots linked by said linking information, to v 
verify the voting. ' J J: 

'* 1 

■ u 

2. An electronic voting system as claimed in claim 1 further comprising a ballot 
box to receive said printed ballots, and a printer coupled to said voting device to print a 
said printed ballot for verification by a voter prior to reception of said printed ballot by 
said ballot box. 

3. An electronic voting system as claimed in claim 2 wherein said ballot box 
includes means to select a sample of said printed ballots for said voting verification 
system. 

4 

■ 

4. An electronic voting system as claimed ixl claim 1, 2 or 3 wherein, said linking 
information included with said printed ballot is printed onto said ballot such that it is not 
directly readable by a human. 



... V:VCambridge Cases* JMV3BP29015SX\GB»2901 S5X Spc* ^Claims 7-4-04 Am 



B7-APR-2004 17^24 FROM MARKS & CLERK TD PflT OFF GB 

t 

54 

5. An electronic voting system as claimed in any one of claims 1 to 4 wherein said 
sample comprises a predetermined number of ballots^ preferably at least 190, more 
preferably at least 450. 

6> An electronic voting system as claimed in any preceding claim wherein said 
voter verification system is farther configured to determine that all said printed ballots 
carry different linking information, that each said printed ballot links to an electronic 
ballot, and that the number of printed ballots is the same as the number of electronic 
ballots. 

7. An electronic voting system as claimed in any one of claims 1 to 6 wherein a 
said encrypted electronic ballot includes voting district identification information, and 
wherein said comparing of printed and electronic ballots is performed for a selected said 
. district 

■ 

8 , An electronic voting j&ystem as claimed in any preceding claim wherein a said 
electronic ballot includes voter identification information, and wherein said vote - 
decryption is further configured to separate said voter selection data from said voter 
identification information prior to providing said voter Selection data to said voting 
verification system. 

9. An electronic voting system as claimed in claim S wherein said separating 
comprises a mix-net shuffle operation to provide at least one shuffle of said voter 
selection data. 

1 0« An electronic voting system as claimed in claim 9 wherein said shuffle operation 
provides a plurality of shuffles in which each shuffle has a share of a secret key, and in 
which each shuffle partially decrypts said encrypted electronic ballots using said secret 
key share. 

1 L An electronic voting system as claimed in claim 9 or 10 wherein said decryption 
system includes at least one first server to implement said mix-net, and at least one 
V:\Cambrictee Cas«^ 



P.B4 




07-APR-2004 17 = 24 FROM MARKS & CLERK 



TO PPT OFF GB 



* 55 

second server to provide verification data to demonstrate that a said shuffle does not 
modify a said voter's choice. 

12. An electronic voting system as claimed in claim 1 1 wherein said verification 

data comprises a zero-knowledge proof, and further comprising an audit system to 
output audit data, said audit system including a homomorphic verification system to. 
operate on said verification data from said plurality of shuffles to count votes with 
verified zero-knowledge proofs without decrypting a said encrypted electronic ballot. 

13. An electronic voting system as claimed in any preceding claim further 
comprising means to process write-in-votes, 

14. An electronic voting system as claimed in any preceding claim further 
comprising a signer to sign a said electronic ballot, said signer being coupled to said 
voting device and configured oniy to produce a digital signature for a said electronic 
ballot in response to input of at least two items of voter authentication.. vi 

15 . A computer system for verifying an electronic voting system as claimed in claim <■ 

1 ? the computer system comprising: - r " : 
data memory operable to store data to be processed; v 
program memory storing processor implementable instructions; and 
a processor coupled to said data memory and to said program memory to load 

and implement said instructions, the instructions comprising instructions for controlling 

the processor to: 

receive decrypted voter selection data and linking information from said vote 
decryption system; 

receive voter selection data and linking information from said printed ballots; 

and 

compare voters choices for a sample of said printed and electronic ballots linked 

by said linking information to verify the voting. 
V:\Cambridgc Cases\PJM^ 



07-flPR 

( 



-2004 17 = 24 FRDM MPRKS & CLERK 



TO PRT OFF GB 



P. 86 



56 

1 6. A computer system as claimed in claim 15 wherein said instructions further 
comprise instructions for controlling the processor to : 

determine that all said printed ballots carry different linking information; 

determine that each said printed ballot links to an electronic ballot; and 
determine that the number of printed ballots is the same as the number of 
electronic ballots; 

to thereby verify said voting. 

— ^ 

17. A carrier carrying the processor implementable instructions of claim 15 or 16, 

18. A device For collecting ballots, in particular for the electronic voting system of 
claim 1, the device comprising: 

a ballot input to accept a ballot submitted by a user; 
a first ballot holder for holding ballots for checking; 
a second ballot holder; and 

a ^^, in ^? ace _ tc ? a l low S^d user to signal to the device an intention to submit 
said ballot; and 

a selector responsive to said signal to select substantially at random one of said 
first and second ballot holders to receive said submitted ballot. 

19. A claim as claimed in claim 18 further comprising a ballot reader to read 
information on a said ballot linking the ballot to an electronic ballot; and wherein in 
response to said signal the device is configured to select a said ballot holder, to Indicate 
said selection to said user, and then to read said linking infonnation on ballot. 

20. A printed ballot for an electronic voting system configured to count electronic 
ballots corresponding to printed ballots, said printed ballot bearing information linking 
the ballot to a said electronic ballot and information to allow a voter to identify one or 
more choices, the printed ballot being configured or configurable such that said linking 
infonnation and said choice identification information are both visible, but not 
simultaneously. 

^? a ™ brid -&* Cases\P;M\GBP290i55X\OBP290I55X Spec & Claims 7-4-04.doc . 

• * 1 - ■ 1 1 i ' rv 1 * .Sr.*? , • <. - * 



07-PPR-2004 1??24 PROM MARKS & CLERK 



TO PRT OFF GB 



P. 8? 



57 

21. A printed ballot as claimed m claim 20 wherein said Jinking information and 
said choice identification information are on opposite $ides of said ballot. 

22. A method of operating an electronic voting system, the method comprising: 
collecting a vote from a vote; 

outputting vote as both an encrypted electronic ballot and a printed ballot, each 
of said printed and encrypted electronic ballots bearing infoimation linking it to the 
other; 

displaying the printed ballot to the voter; 
collecting the printed ballot; 

repeating said collecting, outputting* displaying and collecting for a plurality of 
other voters; 

decrypting and counting said electronic ballots; 

selecting a sample of said printed or electronic ballots and reading voter choices 
for said sample; 

reading voter choices for electronic or printed ballots linked to said selected 
ballots by said linking information; and 

iff 
> 

comparing said voter choices read from said sampLe and said linked ballots to £ 
verify a result of said voting. 'X 

23. A method as claimed in claim 22 wherein said encrypted distance ballots are 
homomorphically encrypted, the method further comprising repeatedly permuting sixd 
re-encrypting said electronic ballots prior to said decrypting; and verifying said result 
using a homomorphic verification system, 

24- A method as claimed in claim 23 wherein said verifying comprises verifying the 
correctness of said linking information, 

25. A method as claimed in claim 23 or 24 wherein said repeated permuting and re- 
encrypting further comprises partial decryption of 3 said electronic ballot. 

V:\Cambridge Ca$es\PJK-RGBP290155X\G6P290 155X Spec & Claims 7-4-04,dpc 

: ■ ■ u * 

* ■ I * | j "r , 



07-APR-2004 17 '25 FROM MARKS 8. CLERK TO PRT OFF GB 

C ■ 

58 

26- A method as claimed in any one of claims 23 to 25 further comprising producing 
and verifying a zero-jknowledge proof of said repeated permuting, re-encrypting and, 
when dependent on claim 25, said partial decryption. 

27. Computer program code, in particular on a carrier, to implement the method of 
my one of claims 22 to 26. 

28. A method of committing to an electronic data value, the method comprising 
selecting a substantially random number and a sub group of the multiplication group 
Z* n of integers computed modulo n where n is a product of two primes for the 
electronic data value and/or said substantially random number and determining a 
commitment value from said electronic data value and said substantially random 
number using said subgroup. 

29. A method of providing a serO-knowledge proof for verifying correctness of a 
combined permutation and partial decryption of homomorphicaily encrypted messages 
performed using one or more data processing entities, the method comprising; 

sending a commitment to a first set of values (tt) defining said permutation to a 
verifier; 

receiving a second set of values (t) from said verifier; 

permuting said second set of values with said permutation; 
sending a commitment to said permuted second set of values to said verifier; 
receiving a first pair of values from said verifier; 

determining a third set of values (a) from said permutation, said second set of 
values and said first pair of values; 

determining and sending a commitment to a fourth set of random values (d); 

sending a set of commitments to said verifier committing to a fifth set of values 
(d a) a value of said set being determined from one of $aid third and one of said fourth 
set of values; and 

~ : sending a commitment to said permuted and partially decrypted messages and a 
commitment to a Function of said permuted and partially decrypted messages to said 
verifier; 

V:\Carnbrid64 Casss\PJM\GBP200155XVGBP290155X Spec & Claim* 7-4-04,doc 

' '""<" " • v • - - ■ ...... . ..... ...... 



07-RPR-2004 17 = 25 FROM MARKS & CLERK 




TO PRT OFF GB 



P. 89 



59 . 

receiving a second pair of values from said verifier; and 

sending values (£ z) detemiined from said second pair of values, said first pair 
of values and said permutation to said verifier; 

whereby said verifier is able to verify said performance using a zero-knowledge 
protocol. 

30, A method of shuffling and decrypting encrypted electronic data using a plurality 
of data processing entities each entity having a share of a secret key, the method 
comprising, at each of said entities, partially decrypting and re-randomising said 
electronic data using said secret key share such that a final said data processing utility 
fully decrypts said data. 

31. A method as claimed in claim 30 further comprising shuffling said electronic 
data and generating a shuffle proof for verifying said shuiTcJing at each said data 
processing entity, 



32. A method as claimed in claim 31 further comprising verifying each said shuffle 
with one or more data processing entities. 



33, A method 9 in & computer system, of providing data for verifying that messages 
of a set of messages provided from a corresponding $et of entities are authentic, the 
method comprising: 

selecting, for each said entity, first second and third random numbers; 
determining, for each said entity, first and second verification values from ? 
re^ectively ? said first and second random numbers and said entity's message, and said 
fir$t and third random, numbers; and 

outputting, for each entity, said entity's message and said first and second 
verification, values. 



34. A method for providing data for verification systems for verifying that messages 
m i>«>m ic are authentic using a homomorphic verification system without revealing their 
origin^ the method comprising entities {Ej} producing the messages each choosing 

V:VCarribridge Caseg\PJM\OS^0155X\OBP290l55X Spec & Claims 7-4-04.<ioc 



|010Q3Q9. 



07-PPR-2B04 17 = 25 FROM MARKS '& CLERK TO PAT OFF GB 




60 

random numbers e j? rj and p j and submitting m h V(t jt rj) anonymously to one entity 
(entity A) and V(m $ e jSl p j) to another entity (entity P) where V is a verification 

function, in particular a homomorpbic function* in such a way that the messages are 

authenticated. 

35. A method for verifying messages vt$mg data provided as claimed in. claim 34 
wherein the authenticity of {m j} is verified by having entity B submitting n V(e j, rtf* 1 * 
to entity A, which computes C -II V(mj e p j) _1 V(e h r s ) mi 7 then an entity which 
knows a secret Icey for V verifying that C is a commitment to £ero. 

36. Use of the method of claim 34 or 35 to check write-in votes outputted from a 
MIX net 

37. Use of the method of claim 34 or 35 for proving correctness of electronic votes 
in a voting system. 

<i 

38. Use of the method of claim 34 or 35 for verifying correctness of encrypted 
information linking electronic ballots to paper ballots. 

4 

39. Computer program code to T when running, implement the method of any one of 
claims 28 to 35. 

40. A carrier carrying the code of claim 39 T 



VACambridgeCa5es\PJM\GBP2S>O355X\G3SP290155X Sp&c&Clalms 



B7-APR-2004 17 = 25 FROM MARKS & CLERK 



TO PAT OFF GB 



P. 91 



61 

ABSTRACT: 

This invention is generally concerned with systems and methods for electronic voting. 

An electronic voting system, the system comprising: a voting device configured to 
generate, in response to a voter selection for each of a plurality of voters an encrypted 
electronic ballot and a printed ballot, both having voter selection data indicating a said 
voters choice, said electronic ballot including information to link it to said printed 
ballot and said printed ballot including information to link it to said electronic ballot; an 
electronic vote decryption system configured to receive electronic ballots from said 
voting device and to decrypt said encrypted electronic ballots; including said linking 
information; and a voting verification system configured to receive decrypted voter 
selection data and linking information from said vote decryption system* to receive 
voter selection data and linking information from said printed ballots and to compare 
voters choices for a sample of said printed and electronic ballots linked by said linking 
information, to verify the voting. 



Figure 3 



V:\Oambridge Cases\PJM\GBP2£K)155X\GBP290l55X Spec & Claims 7-4-CW.doc 



'-RPR-2004 17! 26 FROM MARKS & CLERK 



TO PP»T OFF GB 



P. 92 



1/9 



External 

Audit 

Facility 



Collection 
point 




- 1 . 



Figure 1 



V:\Caxnbridgc Cases^>JMV>fiP2M 25SX\GBP2^0I55X SjSM A Clatai 7-4-04.doc 



07-RPR-2004 1?:2S FROM MARKS % CLERK 



TO PAT OFF GB 



P. 9: 




2/9 



Key 

Generation 




© Auditor 



External 
Audit 
Facility 



CA 


4 ► 







Collection 
point 



Electronic 
Ballot 



► S 



Eater 

Voting sits 

application 



Registration 
Facility 



Voter 
Credentials 



Voter 



Ballot 





Local 
check 
program 



Figure 2 



V:\Cambridga Cases\PJM\GB"P290 i 55X\GBP290155X Spec & Claims 7-4-04.doc 



B7-APR-2004 17 5 26 FROM MARKS & CLERK 



TO PAT OFF GB 



P. 94 




© Auditor 



Key 

Generation 



3/9 





Key Share 
holders 



Homomorphic 
count 




Electronic 
Ballot 



s 




S 


> 


&> 













Voting 
Application 

=r 



Paper 
Ballot 



Enter 

Voting site 
application 




On-line 
electronic 

result 



Local 

check 
program 



Registration 
Facility 



Voter 
Credentials 



i 



Voter 



Figure 3 



V:\Cambridge C asc s\PJM\GBP2&0155X\GBP290I55X Spec & Claims 74-04.doc 



B7-RPR-2004 i?s26 FROM MARKS & CLERK 



TO PAT OFF GB 



P. 95 



4/9 



Slits 

operuBgfcLosinj 
to determine 
where ballot 
goes 



Ballots to 
be checked 







Press for 
eatering ballot 





Ballots not to 
be checked 



Figure 4 



V:\Cambridge Cases\PJM\GBP290 J55X\GBP290155X Spec & Claims 7-4-04.doc 



07-RPR-2004 175 2S FROM MARKS & CLERK 




5/9 



TO P&T OFF GB 



P. 96 



Slits 

opening/closing 
to determine 
where ballot 
goes 



Ballots to 
be checked 





Press for 
entering ballot 



— Scanner 




Ballots not to 
be checked 



Figure 5 



V?\CamT>ridgc Cas^PJM\GBP29fllSSX\GBP29Q155X Spec & Claims 7-4~04.doc 



07-RPR-2E04 175 26 FROM MRRKS So CLERK 



TQ PGT OFF GB 



P. 97 



6/9 



Text to scan 




Figure 6 



VACflmbridga Caaes\PJM\GBP2e0tSSX\GBP2K)]S5X Spec & Claims 7-MW40C 



07-RPR-2004 17J2& FROM MARKS & CLERK 



TO PAT OFF GB 



P.9B 



7/9 





X 


Candidate 1 




Candidate 2 




Candidate 3 




! Candidate 4 








Candidate 5 




Candidate 6 


X 


Candidate 7 




Candidate 5 




Candidate 9 




MWH Tom Jones 


Ballot ID; !| III II II lllltlllllll II II 1 Hill HI 11 1 1 1 11 



IWMT 



Electronic Sigaatwre: Qotui Sa&mottsen 




Zero-knowledge Proof: 
HA456732567ADF3 .... 



Figure 7 



V:\Cambridge Cases\PJM\GBP290l55X\GBP290155X Spec & Claims 7-4-4M.doc 



07-PFR-2004 175 27 FROM MARKS & CLERK 



TO PftT OFF SB 



P. 39 



8/9 






• < • • 



i ► • • 



I 



1 



Figure 8 



V:\Cambridga Cases\PJMVGSP29015SX\GEP29015SX Spec & Claims 7-A-04.doc 



07-RPR-2004 175 27 FROM MARKS & CLERK 



TO PAT OFF GB 



P. SB 



9/9 



Gorrti Saloirionsen 




Zero-knowledge proof: 
H5AE45DF32 



Figure 9 



v^amWdge Cases\PJM\GBP250lSSX\OBP250155X Spec & Claims 7-4-C4.doc 



TOTAL P. 00 



